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Summary  of  our  key  findings 

See  page  23         Chief  Executive  Officer  (CEO)  selection,  evaluation  and 
compensation 

Agencies — through  their  programs  and  services— affect  all  Albertans.  Agency 
CEOs  set  the  tone  for  their  agency,  develop  direction,  oversee  operations,  and 
advise  the  board  of  directors.  CEO  selection  is  the  most  important  decision  that  an 
agency's  board  of  directors  makes.  Boards  also  improve  CEO  performance  by 
giving  feedback  to  the  CEO  through  evaluations.  Through  compensation,  boards 
attract,  motivate,  and  keep  a  CEO. 

The  following  steps  will  improve  systems  to  select,  evaluate  and  compensate  CEOs: 

•  Government  needs  to  provide  guidance  to  agencies  and  departments. 

•  The  Agency  Governance  Secretariat  should  obtain  CEO  evaluation  and 
compensation  information  and  assess  if  good  practices  are  consistently 
followed. 

•  The  Ministry  of  Treasury  Board  needs  to  consider  improving  public  disclosure 
of  CEO  compensation  by  applying  new  private-sector  disclosure  requirements. 

Boards  need  to: 

•  prepare  CEO  recruitment  and  succession  policies  and  plans. 

•  ensure  comprehensive  CEO  performance  evaluations  are  completed. 

•  develop  compensation  policies  for  CEOs,  improve  the  use  of  peer-group 
comparisons  in  setting  CEO  compensation,  and  develop  processes  to  ensure 
compensation  consultants  are  independent. 

See  page  53         Protecting  information  assets 

The  Government  of  Alberta  (GoA)  manages  huge  volumes  of  sensitive  and 
confidential  information.  This  includes  business  and  financial  data  and  personal 
information,  such  as  medical  records  and  drivers'  license  data.  All  this  information, 
stored  electronically,  is  vital  to  GoA  operations.  Albertans  expect  the 
confidentiality,  integrity  and  availability  of  this  information  to  be  assured.  The  GoA 
has  a  duty  to  safeguard  this  information  properly.  It's  not  doing  so. 

GoA  information  technology  (IT)  security  is  inadequate.  Establishing  a  central 
security  office  with  responsibility  and  authority  to  control  and  protect  all  GoA 
information  assets  is  key  to  overcoming  the  deficiencies  that  exist  today.  A 
decentralized  approach,  while  effective  for  program  delivery,  is  inadequate  for 
proper  IT  security.  This  matters  because: 
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•  GoA  is  a  $38  billion/year  organization  and  important  financial  information  is  at 
risk. 

•  Confidential  personal  information  of  all  Albertans  is  at  risk.  By  law,  government 
must  protect  personal  information. 

The  GoA  needs  a  central  security  office — immediately — to  develop,  implement, 
monitor,  and  enforce  government-wide  IT  security.  A  chief  security  officer 
(CSO) — with  the  appropriate  mandate  from  Executive  Council — should  lead  the 
office. 

Service  Alberta  provides  the  shared  computing  infrastructure,  but  it  has  no 
government-wide  authority  to  enforce  compliance  with  GoA  security  policies. 

See  page  93         Alberta 's  response  to  climate  change 

The  Government  of  Alberta  (GoA)  made  climate-change  commitments  in  Albertans 
&  Climate  Change:  Taking  Action,  its  2002  climate-change  plan  and  in  Alberta 's 
2008  Climate  Change  Strategy  (which  replaced  the  2002  plan).  The  GoA 
established  targets  for  both  emissions  intensity  and  absolute  reductions  but  has  not 
yet  corroborated  that  the  actions  chosen  will  result  in  Alberta  meeting  its  targets. 

To  meet  these  targets,  the  GoA  now  needs  to: 

•  establish  criteria  for  deciding  specific  actions. 

•  develop  a  master  implementation  plan. 

•  improve  the  processes  for  monitoring  climate-change  results. 

•  ensure  reported  data  is  relevant  and  reliable. 

See  page  109        ATB  Financial — treasury  management 

ATB  Financial  (ATB)  provides  financial  services  to  over  660,000  customers  in 
244  Alberta  communities  and  has  over  $24  billion  in  assets.  ATB's  returns — both 
gains  and  losses — belong  to  all  Albertans.  The  GoA  provides  a  deposit  guarantee  to 
all  ATB  depositors.  The  potential  cost  to  Albertans  of  the  deposit  guarantee  makes  it 
important  that  ATB  manages  its  funds  and  risks  appropriately. 

For  the  year-ended  March  31,  2008,  ATB  recorded  a  $253  million  provision  on  its 
investment  in  asset-backed  commercial  paper.  Learning  from  this  situation,  ATB 
needs  to  improve  its  treasury-management  systems.  To  do  so,  ATB  needs  to: 

•  implement  processes  to  fully  understand  investment  products  and  their  risks 
before  buying  them.  And  improve  investment  risk  monitoring  systems. 

•  change  its  investment  performance  target  setting  process  and  variable  pay 
program  guidelines. 

•  improve  its  liquidity  reporting,  contingency  plan,  and  risk  identification 
processes. 
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•  enhance  its  interest  rate  risk  measurement  systems. 

•  update  its  treasury  policies  for  industry  good  practices. 

•  upgrade  its  treasury  information  technology  tools. 

•  use  its  Asset  Liability  Committee  more  effectively. 

ATB  is  taking  action  to  improve  its  systems. 

See  page  151        Alberta's  mental  health  service  delivery  system 

The  Provincial  Mental  Health  Plan  (April  2004)  envisions  a  transformed  service 
delivery  system  that  focuses  on  client  recovery,  community-based  services  and 
integrated  services  and  supports.  The  current  system  still  focuses  on  hospital  beds 
and  clinics,  so  has  not  yet  completed  that  transformation. 

While  all  regional  health  authorities  provide  a  continuum  of  mental  health  care 
services,  the  system  faces  serious  challenges.  Services  to  clients  and  patients  can 
improve  by  making  access  to  the  system  easier,  reducing  wait  times  for  many 
programs  and  coordinating  care  better.  Factors  such  as  the  stigma  attached  to  the 
illness,  its  chronic  nature,  and  the  transfer  of  responsibility  for  care  delivery 
between  service  providers  combine  to  keep  mental  health  in  the  background. 

To  improve  delivery  of  mental  health  services  in  accordance  with  the  principles  of 
the  Provincial  Mental  Health  Plan,  the  Ministry  of  Health  and  Wellness  needs  to: 

•  develop  mental  health  standards  that  form  the  foundation  for  the  mental  health 
system. 

•  eliminate  gaps  in  services.  Gaps  are  where  programs  either  do  not  exist  or  have 
a  long  wait  time.  Poorly  coordinated  care  also  signifies  a  gap  in  services, 
resulting  in  clients  not  getting  the  service  they  need. 

•  better  coordinate  and  manage  services  across  the  province  and  within  regions  to 
improve  efficiency. 

•  increase  accountability  for  the  mental  health  service  delivery  system. 

See  page  281        Alberta  Investment  Management  Corporation  (AIMCo) 

AIMCo,  a  newly  formed  Crown  corporation,  commenced  its  operations  on 
January  1,  2008.  It  now  manages  investments,  previously  managed  by  Alberta 
Finance,  with  a  market  value  of  approximately  $75  billion,  including  Alberta 
pension  funds  and  the  Heritage  Savings  Trust  Fund. 

Our  overall  finding  in  auditing  the  investment  pools  is  that  senior  management 
needs  to  focus  its  attention  on  internal  control.  When  senior  managers  make  internal 
control  a  top  priority  and  provide  active  leadership,  and  when  a  board  satisfies  itself 
the  principles  and  expectations  for  the  control  environment  are  in  place,  the  people 
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who  are  responsible  for  internal  control  will  also  make  cost-effective  control  a  top 
priority. 

With  the  imminent  prospect  of  the  funds  under  management  growing  in  an 
increasingly  complex  investment  market,  we  believe  the  key  to  AIMCo's  continued 
success  is  to  introduce  a  process  for  certifying  the  design  and  operating 
effectiveness  of  its  internal  controls. 

We  have  recommended  that  AIMCo  introduce  a  process  to  get  the  organization 
ready  for  internal  control  certification,  meaning  explicit  assertion  by  the 
organization  on  the  quality  of  its  control  processes.  We  have  outlined  the  steps, 
which  include  sub-certification  processes,  whereby  direct  reports  to  the  CEO 
provide  formal  certification  on  their  areas  of  responsibility. 

See  page  232        Universities  Academic  Pension  Plan  unfunded  liability 

Alberta's  four  universities  and  the  Department  of  Advanced  Education  and 
Technology  need  to  continue  to  work  together  to  review  the  accounting  treatment 
for  the  unfunded  liability  of  the  Universities  Academic  Pension  Plan,  to  enable  each 
University  to  properly  measure  and  record  its  share  of  the  liability  in  its  financial 

statements. 

See  page  356        Managing  Alberta's  sand  and  gravel  resources 

The  Department  of  Sustainable  Resource  Development  (SRD)  manages  these 
natural  resources  by  administering  operators'  access  to  public  lands,  and  ensuring 
compliance  with  land  reclamation  requirements.  We  found  that: 

•  SRD  is  behind,  in  some  cases  up  to  20  years,  with  land  reclamation  inspections. 

•  security  deposits  collected  from  operators  may  not  reflect  true  reclamation 
costs — operators  may  find  it  cheaper  to  abandon  security  deposits  than  to 
reclaim  land. 

•  operators  who  don't  reclaim  land  may  be  awarded  new  holdings  on  other  public 
land. 

•  royalties  are  collected,  but  are  based  on  volumes  reported  by  industry  without 
verification.  Royalty  rates  haven't  changed  since  1991. 

To  better  manage  these  natural  resources,  SRD  needs  to: 

•  improve  monitoring  and  enforcement  of  operators'  legal  obligations. 

•  assess  the  current  royalty  structure. 

•  better  use  the  information  it  has. 
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Recommendation  highlights 

This  Report  contains  114  recommendations,  all  of  which  are  listed,  starting  at 
page  7.  We  have  numbered  the  42  recommendations  that  we  think  need  a  formal 
response  from  the  government.  Of  the  42  numbered  recommendations,  40  are  new. 
The  other  2  repeat  previous  recommendations  where  implementation  progress  was 
too  slow.  By  repeating  these  recommendations,  we  expect  the  government  to 
formally  recommit  to  their  implementation. 

Prioritizing  our  recommendations 

As  part  of  the  audit  process,  we  provide  recommendations  to  government  in 
documents  called  management  letters.  We  use  our  public  reporting  to  bring  our 
recommendations  to  the  attention  of  Members  of  the  Legislative  Assembly  (MLAs). 
For  example,  members  of  the  all-party  Standing  Committee  on  Public  Accounts 
refer  to  the  recommendations  in  our  public  reports  during  their  meetings  with 
representatives  of  government  ministries  and  agencies.  To  help  MLAs,  we  prioritize 
our  recommendations  in  our  public  reports  to  indicate  where  we  believe  they  should 
focus  their  attention.  We  categorize  them  as  follows: 

•  Key  recommendations — these  are  the  numbered  recommendations  we  believe 
are  the  most  significant.  By  implementing  these  recommendations,  the 
government  will  significantly  improve  the  safety  and  welfare  of  Albertans,  the 
security  and  use  of  the  province's  resources,  or  the  governance  and  ethics  with 
which  government  operations  are  managed. 

•  Numbered  recommendations — we  believe  these  recommendations  require  a 
formal  response  from  the  government.  We  ask  government  to  accept  these 
recommendations  and  commit  to  an  implementation  date. 

•  Unnumbered  recommendations — these  recommendations,  although 
important,  do  not  require  a  formal  response  from  government.  We  obtain 
management's  acceptance  of  these  recommendations,  and  agree  to  an 
implementation  date. 

Key  recommendations 

Indicates    jne  kev  recommendations,  in  serial  order,  are  numbered:  1,  4,  11,  12,  15,  16,  23,  32 
and  40. 

Repeated  recommendations 

This  report  contains  two  repeated  numbered  recommendations: 

•  No.  22,  Advanced  Education  and  Technology — University  of  Calgary — 
PeopleSoft  Security  {2005-2006  Annual  Report,  vol.  2,  page  24  and  repeated  in 
our  2006-2007  Annual  Report,  vol.  2,  page  13) 

•  No.  33,  AIMCo — Ensure  completeness  and  accuracy  of  private  equity 
partnership  investments  (2006-2007  Annual  Report,  vol.  2,  page  92) 
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Reporting  the  status  of  recommendations 

We  require  the  government  to  agree  to  an  implementation  date  for  each 
recommendation  it  accepts.  Typically,  we  do  not  report  on  the  progress  of  an 
outstanding  recommendation  until  management  has  had  sufficient  time  to 
implement  the  recommendation  and  we  have  completed  our  follow-up  audit  work. 

The  status  of  our  recommendations  is  reported  as  follows: 

•  Implemented — we  briefly  explain  how  the  government  implemented  the 
recommendation. 

•  Repeated — we  explain  why  we  are  repeating  the  recommendation  and  what  the 
government  must  still  do  to  implement  the  recommendation. 

•  Progress  report — we  provide  information  when  we  consider  it  useful  for  MLAs 
to  understand  management's  actions. 

•  Satisfactory  progress  report — we  may  want  to  state  that  progress  is  satisfactory 
based  on  the  results  of  a  follow-up  audit. 

•  Changed  circumstance — if  the  recommendation  is  no  longer  valid,  we  briefly 
explain  why. 

Outstanding  recommendations 

We  have  a  chapter  called  Outstanding  recommendations — see  page  379.  It  provides 
a  complete  list  of  the  recommendations  that  are  not  yet  implemented. 
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October  2008  recommendations 

— Indicates  a  key  recommendation 
Green  print — numbered  recommendations 
Black  print — unnumbered  recommendations 

Chief  executive  officer  selection,  evaluation  and 
compensation 

Page  27    Guidance — Recommendation  No.  1 

(fo^^tf    We  recommend  that  the  Deputy  Minister  of  Executive  Council  through  the  Agency  Governance  Secretariat 
assist  agencies  and  departments  by  providing  guidance  in  the  areas  of  CEO  selection,  evaluation  and 
compensation. 

Page  29    Accountability — Recommendation  No.  2 

We  recommend  the  Agency  Governance  Secretariat,  on  behalf  of  Ministers,  annually  obtain  information 
from  agencies  on  CEO  evaluation  and  compensation  processes  to  assess  if  good  practices  are  being 
consistently  followed.  The  results  of  these  systems  assessments  should  be  reported  to  Ministers,  who  should 
then  hold  boards  of  directors  accountable  for  their  decisions. 

Page  32    CEO  compensation  disclosure — Recommendation  No.  3 

We  recommend  that  the  Treasury  Board  consider  applying  the  new  private-sector  compensation-disclosure 
requirement  to  the  Alberta  public  sector. 

Protecting  information  assets 

Page  53    Central  Security  Office — Recommendation  No.  4 

^==aiT    To  secure  the  Government  of  Alberta's  information,  we  recommend  that  Executive  Council  ensures  that  a 

central  security  office  is  immediately  established  to  oversee  (develop,  communicate,  implement,  monitor  and 
enforce)  all  aspects  of  information  security  for  organizations  using  the  government's  shared  information- 
technology  infrastructure. 

Page  64    Develop  and  maintain  detailed  standards  and  policies  to  build  and  operate  secure  web  applications- 
Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta,  in  conjunction  with  all  ministries  and  through  the  Chief 
Information  Officer  (CIO)  Council,  develop  and  maintain  detailed  policies,  procedures,  and  standards  to 
build  and  operate  secure  web  applications. 

Page  66    Develop  standards  and  policies  to  ensure  web  applications  are  built  to  required  standards — 
Recommendation  No.  5 

We  recommend  that  the  Ministry  of  Service  Alberta,  in  conjunction  with  all  ministries  and  through  the  Chief 
Information  Officer  (CIO)  Council,  develop  and  implement  well-designed  and  effective  controls  to  ensure  all 
Government  of  Alberta  web  applications  consistently  meet  all  security  standards  and  requirements. 

Page  68    Review  and  improve  the  GoA's  shared  computing  infrastructure  policies,  procedures,  and  standards — 
Recommendation  No.  6 

We  recommend  that  the  Ministry  of  Service  Alberta  work  with  all  ministries  and  through  the  Chief 
Information  Officer  (CIO)  Council,  to  develop  and  implement  policies,  procedures,  standards,  and  well- 
designed  control  activities  for  the  Government  of  Alberta's  shared  computing  network. 
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Page  75    Wireless  policies  and  standards — Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta,  in  conjunction  with  all  ministries  and  through  the  Chief 
Information  Officer  (CIO)  Council,  update  its  existing  Wireless  LAN  Access  Security  Policy  to  provide 
clearer  guidance  to  Ministries  in  deploying  and  securing  wireless-network-access  points. 

Page  76    Device  configurations — Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta,  in  conjunction  with  all  ministries  and  through  the  Chief 
Information  Officer  (CIO)  Council,  review  the  configuration  of  laptops,  and  approve  policies  to  prevent 
laptops  from  inadvertently  exposing  the  government  environment. 

Page  77    Ongoing  monitoring  and  surveillance — Recommendation  No.  7 

We  recommend  the  Ministry  of  Service  Alberta,  in  conjunction  with  all  ministries  and  through  the  Chief 
Information  Officer  (CIO)  Council,  update  network  surveillance  methods  to  detect  and  investigate  the 
presence  of  unauthorized  wireless  access  points  within  the  Government  of  Alberta. 

Page  84    Increasing  collaboration  by  ministries — Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta  and  the  Ministry  of  Infrastructure  work  in  conjunction 
with  all  ministries  and  through  the  Chief  Information  Officer  (CIO)  Council  to  improve  physical  and 
environmental  security  controls  of  data  facilities  by: 

•  improving  communication  of  responsibilities  between  ministries. 

•  establishing  government-wide  minimum  physical  and  environmental  standards  for  data  facilities. 

Page  85    Backup  power  supplies — Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta,  work  in  conjunction  with  all  ministries  and  through  the 
Chief  Information  Officer  (CIO)  Council,  to  ensure  that  ministries  that  use  data  facilities  ensure  that 
connected  computer  equipment  has  a  sufficient  redundant  power  supply. 

Page  87    Physical  security — Recommendation  No.  8 

We  recommend  that  the  Ministry  of  Service  Alberta  work  with  the  Ministry  of  Infrastructure,  in  conjunction 
with  all  ministries  and  through  the  Chief  Information  Officer  (CIO)  Council,  to  improve: 

•  physical  security  controls  at  data  facilities. 

•  logging  of  access  to  data  facilities  by  implementing  effective  controls  to  track  access. 

Page  89    Environmental  security — Recommendation 

We  recommend  that  Ministry  of  Service  Alberta  work  with  ministries  to  improve  the  environmental  security 
controls  at  shared  data  facilities. 

Alberta's  response  to  climate  change 

Page  97    Planning — Recommendation  No.  9 

We  recommend  that  the  Ministry  of  Environment  improve  Alberta's  response  to  climate  change  by: 

•  establishing  overall  criteria  for  selecting  climate-change  actions. 

•  creating  and  maintaining  a  master  implementation  plan  for  the  actions  necessary  to  meet  the  emissions- 
intensity  target  for  2020  and  the  emissions-reduction  target  for  2050. 

•  corroborating — through  modeling  or  other  analysis — that  the  actions  chosen  by  the  Ministry  result  in 
Alberta  being  on  track  for  achieving  its  targets  for  2020  and  2050. 

Page  100    Monitoring  processes — Recommendation  No.  10 

We  recommend  that  for  each  major  action  in  the  2008  Climate  Change  Strategy,  the  Ministry  of 
Environment  evaluate  the  action's  effect  in  achieving  Alberta's  climate  change  goals. 
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Page  101    Public  reporting — Recommendation  No.  11 

®*=~fr    We  recommend  that  the  Ministry  of  Environment  improve  the  reliability,  comparability  and  relevance  of  its 
public  reporting  on  Alberta's  success  and  costs  incurred  in  meeting  climate-change  targets. 

ATB  Financial — treasury  management 

Page  118    Business  rules  and  operating  procedures — Recommendation  No.  12 

@  \i    We  recommend  that  Alberta  Treasury  Branches  develop  and  document  the  business  rules  and  operating 
procedures  required  to  implement  the  improved  investment  policy  being  developed. 

Page  123    Performance  targets — Recommendation 

We  recommend  that  Alberta  Treasury  Branches  improve  its  process  for  establishing  Global  Financial 
Market's  performance  targets  by  discussing  the  targets  with  the  senior  Asset  Liability  Committee  (ALCO) 
and  maintaining  evidence  that  supports  decisions  made. 

Page  125    Variable  pay  program — Recommendation 

We  recommend  that  Alberta  Treasury  Branches  complete  its  business  rules  on  how  variable  pay  is  calculated 
for  Global  Financial  Markets'  staff  by  clarifying  how  to  deal  with: 

•  revenue  not  collected 

•  investment  losses 

Page  127    Liquidity  reporting — Recommendation 

We  recommend  that  Alberta  Treasury  Branches  agree  internally  on  a  consistent  measure  of  liquidity  and 
report  that  measurement  to  the  Board  and  to  the  Department  of  Alberta  Finance  and  Enterprise  to  provide 
regular  and  fair  reporting. 

Page  128    Liquidity  simulations — Recommendation 

We  recommend  that  Alberta  Treasury  Branches  further  expand  its  use  of  liquidity  simulations  as  a  forward 
looking  liquidity  risk  measurement  tool.  We  also  recommend  that  ALCO  and  the  Board  oversight  committee 
consider  whether  the  results  of  liquidity  simulations  indicate  a  need  to  modify  its  business  plan. 

Page  129    Liquidity  contingency  plan — Recommendation  No.  13 

We  recommend  that  Alberta  Treasury  Branches  develop  a  comprehensive  liquidity  contingency  plan  to  be 
better  prepared  for  a  liquidity  crisis  and  to  fully  comply  with  Alberta  Finance  and  Enterprise's  Liquidity 
Guideline.  The  plan  should  be  updated  and  approved  regularly. 

Page  131    Interest  rate  risk  reporting — Recommendation  No.  14 

We  recommend  that  Alberta  Treasury  Branches  provide  better— more  qualitative  and  quantitative- 
reporting  to  senior  management  and  the  Board  on  its  interest  rate  risk  management. 

Page  132    Interest  rate  risk  model  assumptions — Recommendation 

We  recommend  that  Alberta  Treasury  Branches  improve  processes  for  creating,  applying  and  validating 
assumptions  used  in  its  interest  rate  risk  models. 

Page  134    Interest  rate  risk  modeling  and  stress  testing — Recommendation 

We  recommend  that  Alberta  Treasury  Branches  define  its  significant  interest  rate  risk  exposures  and  model 
those  significant  exposures  to  assess  the  effects  on  future  financial  results. 

Page  136    Interest  rate  risk  controls — Recommendation 

We  recommend  that  Alberta  Treasury  Branches  put  in  place  controls  necessary  to  ensure  consistent 
measurement  of  interest  rate  risk. 
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Page  137    Role  and  use  of  middle  office — Recommendation 

We  recommend  that  Alberta  Treasury  Branches  expand  the  role  of  its  middle  office  to  include 
responsibilities  for  monitoring  interest  rate  risk.  We  also  recommend  that  management  ensure  the  middle 
office  has  the  necessary  resources  to  monitor  foreign  exchange  activities  and  fulfill  its  other  responsibilities. 

Page  138    Treasury  information  systems — Recommendation 

We  recommend  that  Alberta  Treasury  Branches: 

•  evaluate  its  current  treasury  information  systems  against  its  business  requirements 

•  develop  and  implement  a  treasury  information  technology  plan  to  upgrade  its  tools 

Page  139    Treasury  policies — Recommendation 

We  recommend  that  Alberta  Treasury  Branches  implement  the  updated  investment  and  derivatives  policies 
for  changes  arising  from  its  recent  review  of  those  policies.  We  also  recommend  that  ATB  review  the 
financial  risk  management  policy. 

Page  142    Role  of  ALCO — Recommendation  No.  15 

©==^    We  recommend  that  Alberta  Treasury  Branches  review  the  role  of  the  Asset  Liability  Committee  (ALCO) 
and  consider  restructuring  it  into  two  tiers. 

Page  143    Internal  audit  program — Recommendation 

We  recommend  that  Alberta  Treasury  Branches  internal  audit  department  regularly  examine  all  types  of 
Alberta  Treasury  Branches'  derivative  activities  to: 

•  promptly  identify  and  rectify  internal  control  weaknesses 

•  fully  comply  with  the  Alberta  Finance  and  Enterprise  Derivatives  Best  Practices  Guideline 

Alberta's  mental  health  service  delivery  system 

Page  162    Mental  health  standards — Recommendation  No.  16 

®=^tr    We  recommend  that  the  Department  of  Health  and  Wellness  and  Alberta  Health  Services  create  provincial 
standards  for  mental  health  services  in  Alberta. 

Page  164    Housing  and  supportive  living — Recommendation  No.  17 

We  recommend  that  Alberta  Health  Services  encourage  mental  health  housing  development  and  provide 
supportive  living  programs  so  mental  health  clients  can  recover  in  the  community. 

Page  168    Clients  with  concurrent  disorders — Recommendation  No.  18 

We  recommend  that  Alberta  Health  Services  strengthen  integrated  treatment  for  clients  with  severe 
concurrent  disorders  (mental  health  issues  combined  with  addiction  issues). 

Page  169    Relationships  with  not-for-profit  organizations — Recommendation 

We  recommend  that  Alberta  Health  Services  improve  relationships  with  not-for-profit  organizations  to 
provide  better  coordinated  service  delivery. 

Page  171    Opportunities  to  reduce  gaps  in  service — Recommendation  No.  19 

We  recommend  that  Alberta  Health  Services  reduce  gaps  in  mental  health  delivery  services  by  enhancing: 

•  Mental  health  professionals  at  points  of  entry  to  the  system; 

•  Coordinated  intake; 

•  Specialized  programs  in  medium-sized  cities; 

•  Transition  management  between  hospital  and  community  care. 
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Page  176    Provincial  coordination — Recommendation 

We  recommend  that  Alberta  Health  Services  coordinate  mental  health  service  delivery  across  the  province 
better  by: 

•  Strengthening  inter-regional  coordination. 

•  Implementing  standard  information  systems  and  data  sets  for  mental  health. 

•  Implementing  common  operating  procedures. 

•  Collecting  and  analyzing  data  for  evidence-based  evaluation  of  mental  health  programs. 

Page  181    Improving  community-based  service  delivery — Recommendation 

We  recommend  that  Alberta  Health  Services  strengthen  service  delivery  for  mental  health  clients  at  regional 
clinics  by  improving: 

Wait  time  management. 
Treatment  plans,  agreed  with  the  client. 
Progress  notes. 
Case  conferencing. 
File  closure. 

Timely  data  capture  on  information  systems. 
Client  follow  up  and  analysis  of  recovery. 

Page  186    Funding,  planning,  and  reporting — Recommendation 

We  recommend  that  the  Department  of  Health  and  Wellness  and  Alberta  Health  Services  ensure  the  funding, 
planning,  and  reporting  of  mental  health  services  supports  the  transformation  outlined  in  the  Provincial 
Mental  Health  Plan  as  well  as  system  accountability. 

Page  190    Aboriginal  and  suicide  priorities — Recommendation 

We  recommend  that  the  Department  of  Health  and  Wellness  and  Alberta  Health  Services  consider  whether 
the  implementation  priority  for  aboriginal  and  suicide  issues  is  appropriate  for  the  next  provincial  strategic 
mental  health  plan. 

Advanced  Education  and  Technology 

Page  2 1 1    University  of  Alberta — Improve  investment  controls — Recommendation  No.  20 

We  recommend  that  the  University  of  Alberta: 

•  provide  increased  levels  of  detail  on  investments  to  the  Investment  Committee  to  facilitate  the 
monitoring  of  the  University's  investments,  and 

•  implement  approval  procedures  for  new  investment  vehicles. 


Page  213    University  of  Calgary— Improving  the  University  's  decentralized  control  environment- 
Recommendation  No.  21 

We  recommend  that  the  University  of  Calgary  improve  the  effectiveness  of  its  control  environment  by: 

•  assessing  whether  the  current  mix  of  centralized  and  decentralized  controls  is  appropriate  to  meet  its 
business  needs. 

•  defining  clear  roles,  responsibilities  and  accountabilities  for  control  systems'  design,  implementation, 
and  monitoring. 

•  documenting  its  decentralized  control  environment  and  implementing  training  programs  to  ensure 
those  responsible  for  business  processes  have  adequate  knowledge  to  perform  their  duties. 

•  monitoring  decentralized  controls  to  ensure  processes  operate  effectively. 

Page  2 1 6    University  of  Calgary — Improving  payroll  controls — recommendation  repeated — Recommendation 

We  again  recommend  that  the  University  of  Calgary  improve  controls  over  payroll  functions. 
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Page  2 1 7    University  of  Calgary — Improving  controls  over  journal  entries — Recommendation 

We  recommend  that  the  University  of  Calgary  improve  controls  over  the  approvals  and  documentation  for 
journal  entries. 

Page  219    University  of  Calgary — PeopleSoft  security — recommendation  repeated — Recommendation  No.  22 

We  again  recommend  that  the  University  of  Calgary  improve  controls  in  the  PeopleSoft  system  by: 

•  finalizing  and  implementing  the  security  policy  and  the  security  design  document,  and 

•  ensuring  that  user  access  privileges  are  consistent  with  both  the  user's  business  requirements  and  the 
security  policy. 

Page  221    University  of  Calgary — Improving  controls  over  investments — Recommendation 

We  recommend  that  the  University  of  Calgary  improve  controls  over  the  approvals  of  transactions  for  its 
internally  managed  investments. 

Page  222    University  of  Calgary — Complying  with  legislation — Recommendation 

We  recommend  that  the  University  of  Calgary  comply  with  the  Post-Secondary  Learning  Act  by  seeking 
approval  of  the  Lieutenant  Governor  in  Council  before  engaging  in  housing-loan-guarantee  transactions. 

Page  223    University  of  Lethbridge — Improving  the  University's  financial  processes — Recommendation 

We  recommend  that  the  University  of  Lethbridge  improve  its  year-end  processes  to  ensure  the  preparation 
of  complete  and  accurate  financial  statements. 

Page  225    University  of  Lethbridge — Clearly  defined  financial  research  roles  and  responsibilities — 
Recommendation 

We  recommend  that  the  University  of  Lethbridge  clearly  define  and  communicate  the  financial  research- 
management  roles  and  responsibilities  of  Research  Services,  Financial  Services,  and  Deans. 

Page  227    University  of  Lethbridge — Clear  and  complete  research  policies — Recommendation 

We  recommend  that  the  University  of  Lethbridge  improve  systems  to  ensure  that: 

•  financial  research  policies  are  current  and  comprehensive. 

•  proper  documentation  is  maintained  for  approving  research  accounts. 

•  researchers,  research  administrators  and  Financial  Services  staff  are  aware  of  changes  to  financial 
policies  and  are  properly  trained  to  comply  with  the  policies. 

Page  231    University  of  Lethbridge — Periodic  reporting  to  the  Board  of  Governors  on  financial  risks — 
Recommendation 

We  recommend  that  University  of  Lethbridge  management  periodically  report  to  the  Board  of  Governors  key 
information  on  financial  risks  in  research  management. 

Page  232    All  universities — Review  accounting  treatment  for  Universities  Academic  Pension  Plan  for  all 
universities — Recommendation  No.  23 

We  recommend  that  the  four  Alberta  universities  continue  to  work  together — and  with  the  Department  of 
Advanced  Education  and  Technology — to  review  the  accounting  treatment  for  the  unfunded  liability  of  the 
Universities  Academic  Pension  Plan. 

Employment,  Immigration  and  Industry 

Page  245    Monitoring  and  enforcement  of  training  providers — Recommendation  No.  24 

We  recommend  that  the  Department  of  Employment  and  Immigration  improve  its  monitoring  of  tuition- 
based  training  providers  by: 

•  assessing  whether  performance  expectations  are  being  met. 

•  quantifying  tuition  refunds  that  may  be  owing  to  the  Department. 

•  implementing  policies  and  procedures  that  outline  steps  and  timelines  for  dealing  with  non-compliance 
problems. 
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Page  249    Approving  and  renewing  training  programs — Recommendation 

We  recommend  that  the  Department  of  Employment  and  Immigration  improve  its  systems  for  approving  and 
renewing  programs  by: 

•  clearly  defining  criteria  for  approving  each  program. 

•  developing  clear  performance  expectations  for  each  program  and  training  provider. 

•  using  its  monitoring  results  to  decide  whether  to  renew  a  program. 

Page  25 1    Improve  the  use  of  information  systems — Recommendation 

We  recommend  that  the  Department  of  Employment  and  Immigration  improve  the  use  of  its  information 
systems  by: 

•  integrating  its  payment-processing  system  with  other  learner  databases  to  ensure  that  tuition  fee 
payments  are  accurate. 

•  implementing  adequate  controls  to  ensure  all  key  learner  data  is  promptly  updated  in  the  system. 

•  using  exception  reports  to  detect  potential  non-compliance  problems. 

Page  253    Workers'  Compensation  Board  (WCB) — Enforce  procedures  and  guidelines  for  purchasing-card 
program — Recommendation 

We  recommend  that  the  Workers'  Compensation  Board  enforce  its  procedures  and  guidelines  for  the 
purchasing-card  program  by  ensuring  that  all  purchasing-card  reports  are  appropriately  approved  and  have 
supporting  documentation. 

Energy 

Page  255    Alberta's  Bioenergy  Programs — Recommendation  No.  25 

We  recommend  that  the  Department  of  Energy: 

•  undertake  and  document  its  analysis  to  quantify  the  environmental  benefits  of  potential  bioenergy 
technologies  to  be  supported  in  Alberta. 

•  establish  adherence  to  the  Nine  Point  Bioenergy  Plan  as  a  criterion  within  its  bioenergy  project  review 
protocol,  and  require  grant  applications  to  indicate  the  projected  environmental  benefits  of  proposed 
projc(  :ts. 

•  prior  to  awarding  grants  in  support  of  plant  construction,  require  successful  applicants  to  quantify— 
with  a  life  cycle  assessment — the  positive  environmental  impact  relative  to  comparable  non-renewable 
energy  products. 

Page  257    Strengthen  controls  to  detect  and  prevent  errors  in  reporting  of  royalty-liable  fuel-gas  volumes — 
Recommendation  No.  26 

We  recommend  that  the  Department  of  Energy: 

•  strengthen  controls  to  prevent  fuel-gas  volumes  being  incorrectly  reported  in  the  Petroleum  Registry  of 
Alberta  and  to  detect  incorrect  reporting. 

•  improve  its  detection  and  monitoring  processes  over  fuel-gas  volume  amendments. 

Environment 

Page  261    Climate-Change  and  Emissions-Management  Fund —  Recommendation  No.  27 

We  recommend  that  the  Ministry  implement  processes  to  comply  with  the  Department  of  Treasury  Board  's 
deadlines  for  completing  the  financial  statements  of  the  Climate  Change  and  Emissions  Management  Fund. 
We  also  recommend  that  the  Ministry's  management  prepare  the  Fund's  Financial  statements  on  an  accrual 
basis. 

Page  262    EcoTrust  governance — Recommendation 

We  recommend  that  the  Ministry  of  Environment  improve  its  governance  of  ad  hoc  grants  received  from  the 
federal  government. 
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Finance 

Page  268    Financial  reporting  processes  and  succession  planning — Investment  Accounting  and  Reporting  Group 
Recommendation  No.  28 

We  recommend  that  the  Investment  Accounting  and  Reporting  group  (IAR)  of  the  Department  of  Finance 
and  Enterprise  improve  the  timeliness  of  its  financial  reporting  and  assess  IAR  workloads  by: 

•  recruiting  sufficient  people  with  expertise  in  investment  accounting. 

•  ensuring  time  budgets  allow  for  increases  in  the  number  of  investment  pools,  complexity  of  investment 
transactions,  staff  absences,  management  review  and  correction  of  errors. 

•  creating  a  management  succession  plan. 

Page  270    Donated  funds — Alberta  Heritage  Scholarship  Fund — Recommendation 

We  recommend  that  the  Department  of  Finance  and  Enterprise  develop  a  process  to  ensure  complete, 
accurate  and  timely  recording  of  donations  to  the  Alberta  Heritage  Scholarship  Fund. 

Page  271    Payroll  bank  reconciliations — Recommendation 

We  recommend  that  the  Department  of  Finance  and  Enterprise  work  with  its  service  provider  to  ensure  that 
bank  reconciliations  for  the  government's  payroll  disbursement  bank  account  are  promptly  prepared  and 
reviewed. 

Page  272    User  access — Recommendation 

We  recommend  that  the  Department  of  Finance  and  Enterprise  review  all  user  access  to  business  data  to 
ensure  that  unauthorized  changes  are  prevented  and  appropriate  incident  monitoring  exists  to  ensure  systems 
issues  are  promptly  resolved. 

Page  273    Use  of  spreadsheets  in  processing  taxes — Recommendation 

We  recommend  that  the  Department  of  Finance  and  Enterprise,  Tax  and  Revenue  Administration,  review  the 
use  of  spreadsheets  in  processing  Insurance  Corporations  Tax.  We  also  recommend  that  the  Department 
assess  the  costs,  benefits  and  risks  of  using  spreadsheets,  and  consider  whether  using  existing  established 
computer  systems  is  more  appropriate. 

Page  274    ATB — Internal  controls  over  fair-value  calculations  of  investments  and  derivatives — Recommendation 

We  recommend  that  Alberta  Treasury  Branches  improve  controls  over  fair-value  calculations  of  its 
investments  and  derivatives  by: 

•  implementing  a  peer-review-and-approval  process  for  inputs  and  assumptions  used  in  the  valuation 
models. 

•  using  a  benchmarking  process — as  an  alternative  process  for  derivatives — to  assess  reasonability  of  its 
calculated  fair  values. 

•  documenting  the  results  of  this  work  consistently. 

Page  276    ATB — Derivative  credit  limits  in  report — Recommendation 

We  recommend  that  Alberta  Treasury  Branches  promptly  update  the  derivative  credit  limits  disclosed  on  the 
daily  derivative  credit  exposure  report. 

Page  277    ATB — Controls  for  capturing  non-consumer  loan-risk  ratings  in  its  banking  system — 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  improve  controls  for  capturing  non-consumer  loan-risk 
ratings  in  its  banking  system. 

Page  278    ATB — Action  plans  to  resolve  internal  control  weaknesses  identified  by  ATB's  internal  control 
group — Recommendation  No.  29 

We  recommend  that  Alberta  Treasury  Branches  validate  and  approve  business  processes  and  internal  control 
documentation  developed  by  its  internal  control  group  and  implement  plans  to  resolve  identified  internal 
control  weaknesses. 
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Page  279    ATB — Criminal-record  checks — Recommendation  No.  30 

We  recommend  that  Alberta  Treasury  Branches  improve  its  hiring  processes  to  ensure  that  criminal-record 
checks  are  completed  before  people  start  working  for  it. 

Page  280    ATB — Securitization  policy  and  business  rules — Recommendation  No.  31 

We  recommend  that  Alberta  Treasury  Branches  develop  and  implement  a  securitization  policy  and 
securitization  business  rules. 

Page  282    AIMCo — Internal  control  certification — Recommendation  No.  32 

®^gt    We  recommend  that  Alberta  Investment  Management  Corporation  introduce  a  process  to  prepare  for  internal 
control  certification  by: 

•  ensuring  that  its  strategic  plan  includes  internal  control  certification. 

•  developing  a  top-down,  risk-based  process  for  internal  control  design. 

•  selecting  an  appropriate  internal  control  risk-assessment  framework. 

•  considering  sub-certification  processes,  with  direct  reports  to  the  Chief  Executive  Officer  and  Chief 
Financial  Officer  providing  formal  certification  on  their  areas  of  responsibility. 

•  ensuring  that  management  compensation  systems  incorporate  the  requirement  for  good  internal  control. 

•  using  a  phased  approach  to  assess  the  design  and  operating  effectiveness  of  internal  controls. 

Page  284    AIMCo — Conflicting  responsibilities  for  internal  audit — Recommendation 

We  recommend  that  Alberta  Investment  Management  Corporation  rectify  the  conflicting  job  responsibilities 
of  its  Chief  Internal  Audit  and  Compliance  Officer. 

Page  285    AIMCo — Procedures  for  valuing  real  estate  investments — Recommendation 

We  recommend  that  Alberta  Investment  Management  Corporation  improve  its  procedures  for  valuing  real 
estate  investments  by: 

•  developing  a  detailed  accounting  policy  which  considers  contingent  liabilities  such  as  development  and 
incentive  fees. 

•  segregating  the  valuation  of  real  estate  investments  from  the  portfolio  management  role. 

•  developing  procedures  to  reconcile  the  fair  value  and  cost  of  real  estate  investments  in  the  investments 
general  ledger  to  the  partner  accounts  in  the  audited  financial  statements  of  the  real  estate  holding 
companies. 

Page  287    AIMCo — Ensuring  completeness  and  accuracy  of  private  equity  partnership  investments — 
recommendation  repeated — Recommendation  No.  33 

We  again  recommend  that  Alberta  Investment  Management  Corporation  reconcile  its  investments  in  private 
equity  partnerships  to  the  audited  partnership  financial  statements. 

Page  288    AIMCo — International  Swaps  and  Derivatives  Association  Agreements — Recommendation  No.  34 

We  recommend  that  Alberta  Investment  Management  Corporation  regularly  review  its  International  Swaps 
and  Derivatives  Association  agreements  to  ensure  that  they  protect  it  from  the  risk  of  default  by  its 
counterparties.  We  also  recommend  that  the  Corporation  document  the  reasons  for  any  changes  to  the 
standard  form  of  the  agreement. 

Page  290    AIMCo — Controls  over  trading  with  approved  counterparties — Recommendation 

We  recommend  that  Alberta  Investment  Management  Corporation  improve  its  processes  for  setting  up  and 
maintaining  approved  counterparties  in  the  swap  database  system. 

Page  291    AIMCo — Performance  measurement  review  processes — Recommendation 

We  recommend  that  Alberta  Investment  Management  Corporation  improve  its  processes  for  management 
review  and  approval  of  investment  performance  information  by  implementing  a  review  and  approval  process 
for  investment  performance  reports. 
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Page  291    AIMCo — Controls  over  records  management — Recommendation 

We  recommend  that  Alberta  Investment  Management  Corporation  maintain,  file  and  be  able  to  retrieve  all 
hard-copy  records  supporting  completed  investment  transactions. 

Page  292    Alberta  Capital  Finance  Authority — Deadlines  to  finalize  financial  statements,  finish  the  audit,  and 
schedule  the  Audit  Committee  meeting — Recommendation 

We  recommend  that  management  and  the  Audit  Committee  of  Alberta  Capital  Finance  Authority  extend  the 
deadlines  for: 

•  finalizing  the  financial  statements. 

•  completing  the  financial  statement  audit. 

•  scheduling  of  the  Audit  Committee  meeting  to  approve  the  December  31,  2008  financial  statements. 

Page  294    Alberta  Securities  Commission— Purchase  policy — Recommendation 

We  recommend  that  the  Alberta  Securities  Commission  clarify  its  Purchase  Policy  to  ensure  compliance  with 
the  Trade,  Investment  and  Labour  Mobility  Agreement. 

Health  and  Wellness 

Page  300    Compliance  monitoring  activities — Recommendation  No.  35 

We  recommend  that  the  Department  of  Health  and  Wellness  complete  a  comprehensive  risk  assessment  and 
develop  a  risk  based  plan  to  improve  the  effectiveness  of  its  compliance-monitoring  activities. 

Page  30 1    Infrastructure  funding  for  health  facilities — Recommendation 

We  recommend  that  the  Department  of  Health  and  Wellness  improve  controls  over  infrastructure  grants  for 
health  facilities  by  implementing: 

•  agreements  with  grant  recipients  that  clearly  outline  terms  and  conditions,  roles  and  responsibilities  and 
reporting  requirements; 

•  a  process  to  obtain  periodic  reporting  on  project  status. 

Page  303    Province  Wide  Services — Recommendation  No.  36 

We  recommend  that  the  Department  of  Health  and  Wellness: 

•  define  the  role  and  the  responsibilities  of  the  Province  Wide  Services  Advisory  Committee. 

•  update  the  Province  Wide  Services  Funding  Procedures  and  Definitions  Manual  and  follow  it. 

Page  306    Alberta  Health  Services — Calgary  Health  Region — information  technology  change  management 
controls — Recommendation 

We  recommend  that  Alberta  Health  Services — Calgary  Health  Region  improve  its  change  management 
policies  and  procedures,  follow  them  and  implement  monitoring  controls  to  ensure  they  are  complied  with. 

Page  307    Alberta  Health  Services — Calgary  Health  Region — information  technology  user  access  management 
controls — Recommendation 

We  recommend  that  the  Alberta  Health  Services — Calgary  Health  Region  update  its  user  access  management 
policies  and  procedures,  follow  them  and  implement  monitoring  controls  to  ensure  they  are  complied  with. 

Page  308    Alberta  Health  Services — Capital  Health — information  technology  security  controls — 
Recommendation 

We  recommend  that  Alberta  Health  Services — Capital  Health  improve  its  information  technology  security 
controls  over  user-access  administration,  privileged  user  accounts,  security  violations,  and  passwords. 

Page  309    Alberta  Health  Services — Capital  Health — information  technology  change  management  controls — 
Recommendation 

We  recommend  that  Alberta  Health  Services — Capital  Health  improve  its  information  technology  change- 
management  controls  over  testing,  categorizing,  and  reviewing  changes. 
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Page  31 1    Alberta  Health  Services — Peace  Country  Health — expense  claims  and  corporate  credit  cards 
controls — Recommendation 

We  recommend  that  Alberta  Health  Services — Peace  Country  Health  strengthen  and  follow  its  policies  and 
processes  for  employee  expense  claims  and  corporate  credit  cards.  We  also  recommend  that  Peace  Country 
Health  develop  and  implement  policies  and  guidance  on  appropriate  expenses  for  hosting  and  working 
sessions. 


Page  312    Alberta  Health  Services — Peace  Country  Health — contract  documentation — Recommendation 

We  recommend  that  Alberta  Health  Services — Peace  Country  Health  develop  and  implement  a  sole-sourcing 
policy  for  contracts  and  ensure  that  sole-sourcing  is  clearly  documented  and  justified.  We  also  recommend 
Alberta  Health  Services — Peace  Country  Health  ensure  contract  amendments,  including  changes  to 
deliverables,  are  documented  and  agreed  to  by  both  parties. 

Page  313    Alberta  Health  Services — Peace  Country  Health — information  technology  user  access — 
Recommendation 

We  recommend  that  Alberta  Health  Services — Peace  Country  Health  establish  a  process  to  periodically 
review  computer  system  user-access  rights  to  ensure  they  are  appropriate. 


Page  317    HQCA — Investigative  Role  Policy — Recommendation 

We  recommend  that  the  Health  Quality  Council  of  Alberta  improve  its  Investigative  Role  Policy  by  defining 
or  providing  guidance  on: 

•  methodologies  for  different  circumstances. 

•  medical  standards  for  planning  and  conducting  investigations. 


Page  3 1 9    HQCA — guidance  on  using  legal  assistance — Recommendation 

We  recommend  that  the  Health  Quality  Council  of  Alberta  provide  guidance  on  use  of  legal  assistance  when 
conducting  investigations. 


International,  Intergovernmental  and  Aboriginal  Relations 

Page  324    Evaluating  international  offices'  performance — Recommendation 

We  recommend  that  the  Ministry  of  International  and  Intergovernmental  Relations  improve  the  processes 
management  uses  to  evaluate  the  performance  of  each  international  office. 

Page  326    Ensuring  effective  information-system  controls — Recommendation 

We  recommend  that  the  Ministry  of  International  and  Intergovernmental  Relations  obtain  assurance  that 
information-system  controls  are  effective  at  the  international  offices  and  that  relevant  Government-of- 
Alberta  IT  policies  and  standards  are  being  met. 

Justice  and  Attorney  General 

Page  331    Office  of  the  Public  Trustee,  Estates  and  Trusts — Administrative  Policy  Changes — Recommendation 

We  recommend  that  the  Office  of  the  Public  Trustee,  Estates  and  Trusts  update  administrative  policies  for 
client  assets  by  ensuring  that  the  policy  for: 

•  appraising  gems,  diamonds,  and  jewellery  specifies  what  documentation  to  keep  in  trust  files  and 
clearly  indicates  when  to  appraise  non-diamond-like  jewellery. 

•  reimbursing  Dependent  Adult  travel  expenses  is  extended  to  Official  Guardian  clients. 

•  valuing  personal  vehicles  for  Dependent  Adult  clients  specifies  how  to  value  the  vehicles. 
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Page  335    ME  first!  Program —  Recommendation  No.  37 

We  recommend  that  the  Department  of  Municipal  Affairs  assess  the  effect  on  greenhouse  gas  emissions  of 
the  energy  savings  that  resulted  from  the  projects  funded  by  the  Department's  ME  first!  Program  and  that  the 
Department  report  the  lessons  learned  from  this  program  to  the  Departments  involved  in  creating  climate 
change  programs. 

Page  336    Affordable  housing  advances — Recommendation 

We  recommend  that  the  Ministry  of  Housing  and  Urban  Affairs  assess  the  status  of  funds  advanced  to  grant 
recipients  who  have  not  started  the  construction  of  affordable  housing  projects. 

Service  Alberta 

Page  345    Service  Alberta's  role  as  a  central  processor  of  transactions — Recommendation  No.  38 

We  recommend  that  the  Ministry  of  Service  Alberta  consider  providing  internal  control  assurance  to  its 
client  ministries  on  its  centralized  processing  of  transactions. 

Page  346    Access-  and  security-monitoring  of  application  systems — Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta  ensure  adequate  logging  and  monitoring  processes  are  in 
place  in  all  application  systems  that  host  or  support  financial  information  and  Albertan's  personal 
information. 

Page  348    Secure  storage  for  confidential  information  of  Albertans — Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta  securely  store  void  or  cancelled  documents  with 
confidential  information  obtained  through  its  vital  statistics  services. 

Page  349    System-conversion  process — Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta  document  its  review  of  actual  system-conversion 
activities  to  ensure  that  they  comply  with  the  approved  test  plan  for  system  conversion  and  data  migration. 

Solicitor  General  and  Ministry  of  Public  Security 

Page  35 1    AGLC  IT  change  management — Recommendation 

We  recommend  that  the  Alberta  Gaming  &  Liquor  Commission  (AGLC)  design  and  implement  a 
comprehensive  IT  change-management  policy  with  well-designed,  efficient,  and  effective  control  processes. 
We  further  recommend  that  AGLC  ensure  that  their  change-management  controls  are  consistently  followed 
throughout  the  organization. 

Sustainable  Resource  Development 

Page  355    Controls  over  revenue — Recommendation  No.  39 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  put  processes  in  place  to  allow 
significant  revenues  currently  recorded  when  cash  is  received  to  be  recorded  when  revenue  is  due  to  the 
Crown. 

Page  360    Enforcement  of  reclamation  obligations — Recommendation  No.  40 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  improve  processes  for  inspecting 
aggregate  holdings  on  public  land  and  enforcing  land  reclamation  requirements. 

Page  362    Flat  fee  security  deposit — Recommendation  No.  41 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  assess  the  sufficiency  of  security 
deposits  collected  under  agreements  to  complete  reclamation  requirements. 
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Page  364    Royalty  rates  for  sand  and  gravel — Recommendation  No.  42 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  assess  whether  current  royalty 
rates  for  aggregate  resources  on  public  lands  meet  the  aggregate  allocation  program  goals  and  objectives. 

Page  364    Quantity  of  aggregate  removed — Recommendation 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  develop  systems  to  verify 
quantities  of  aggregate  reported  as  removed  by  industry  from  public  lands  so  that  all  revenue  due  to  the 
Crown  can  be  assessed  and  recorded  in  the  financial  statements. 

Page  366    Information  management — Recommendation 

We  recommend  that  the  Department  of  Sustainable  Resource  Development  capture  and  consolidate 
information  throughout  the  life  of  an  aggregate  holding  and  use  it  to  test  compliance  with  legal  obligations. 

Treasury  Board 

Page  37 1    Salary  and  benefits  disclosure — Recommendation 

We  recommend  that  the  Ministry  of  Treasury  Board,  through  the  Salaries  and  Benefits  Disclosure  Directive, 
clarify  what  form  of  disclosure,  under  what  circumstances,  is  required  of  the  salary  and  benef  its  of  an 
individual  in  an  organization's  senior  decision  making/management  group  who  is  compensated  directly  by  a 
third  party. 

Page  375    Report  on  select  payments  to  MLAs — Content  of  Report — Recommendation 

We  recommend  that  the  Department  of  Treasury  Board  reaffirm  what  should  be  contained  within  the  Report 
of  Selected  Payments  to  Members  and  Former  Member  of  the  Legislative  Assembly  and  Persons  Directly 
Associated  with  Members  of  the  Legislative  Assembly  to  ensure  it  continues  to  be  relevant. 

Page  376    Report  on  select  payments  to  MLAs — Efficiency — Recommendation 

We  recommend  that  the  Department  of  Treasury  Board  use  current  technology  to  regularly  and  efficiently 
compile  the  material  for  public  reporting. 

Page  377    Report  on  select  payments  to  MLAs — Timely  Reporting — Recommendation 

We  recommend  that  the  President  of  Treasury  Board  arrange  for  all  final  reviews  of  the  Report  to  take  place 
within  six  months  of  the  year  end  so  that  the  Report  can  be  ready  for  tabling  in  the  Legislative  Assembly. 
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Standards  for  systems  audits 

Systems  audits  are  conducted  in  accordance  with  the  assurance  and  value- 
for-money  auditing  standards  established  by  the  Canadian  Institute  of 
Chartered  Accountants. 
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1 .  Summary 


Do  agencies  have 
effective  systems 
to  find,  assess,  and 
pay  CEOs? 


Quality  of  board 
decisions  depend 
on  quality  of 
board  members 


Board 

accountability  to 
minister  a  key 
control 


Board  relies  on 
CEO 


Three  governance 
models 


What  we  examined 

The  Alberta  government  delivers  vital  programs  and  services  to  Albertans 
through  provincial  agencies.  The  report,  At  a  Crossroads1,  issued  by  the  Board 
Governance  Review  Task  Force,  identified  248  agencies  of  which 
approximately  100  are  board  governed.  We  selected  61  of  those  board  governed 
agencies  (listed  in  Appendix  A)  that  all  operate  under  the  leadership  of  a  chief 
executive  officer  (CEO)  to  be  in  the  scope  of  this  audit.  We  assessed  the  overall 
effectiveness  of  systems  that  boards  of  directors  use — across  the  public 
sector — to  find,  evaluate,  and  pay  CEOs. 

The  quality  of  board  decisions  depends  on  the  quality  of  board  members.  A 
good  system  does  not  guarantee  a  good  decision,  nor  does  a  bad  system 
preclude  a  good  decision.  But  a  well-designed  and  functioning  system  greatly 
improves  the  potential  quality  of  decisions.  The  government  has  the  mandate  to 
help  boards  implement  well-designed  systems  by  guiding  them  on  good 
practices.  So  we  also  assessed  government  guidance  to  boards. 

The  systems  we  examined  are  key  governance  systems.  Boards  act  directly  on 
their  decisions  or  recommend  decisions  to  a  minister.  A  key  control, 
particularly  when  a  board  has  full  authority,  is  the  board's  accountability  to  the 
minister  for  its  decisions.  By  accountability,  we  mean  the  minister's  authority 
to  assess  if  a  board  has  made  decisions,  operated  within  legislation,  used  due 
diligence,  and  conformed  to  good  practice.  Our  examination  also  assessed  this 
key  control. 

An  effective  board  understands  its  central  role  in  making  good  decisions  on 
leadership  issues.  A  board's  ability  to  effectively  implement  its  mandate  and 
move  the  organization  forward  depends — significantly — on  finding  and 
keeping  a  competent  CEO. 

Agencies  operate  under  the  following  three  main  governance  models.  Boards' 
authority  to  hire,  evaluate  and  compensate  a  CEO  varies  with  the  model.  The 


1  The  report  is  available  on  the  Agency  Governance  Secretariat  website  at  http://alberta.ca/home/729.cfm. 
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underlying  attributes  of  different  models  are  similar.  We  did  not  assess  whether 
one  model  is  more  appropriate  than  another.  The  models  are: 

1.  The  board  has  full  authority  to  select,  evaluate  and  compensate  the  CEO. 
Alberta  colleges  and  universities  use  this  model. 

2.  The  board  recommends  a  CEO  candidate  and  compensation  to  the  minister 
for  approval  by  the  minister  or  the  Lieutenant  Governor  in  Council.  The 
board  evaluates  the  CEO.  ATB  Financial  uses  this  model. 

3.  The  CEO  is  a  department  employee.  The  board  works  with  department 
officials  to  recommend  decisions  to  the  deputy  minister,  who  has  final 
authority  in  all  three  areas.  Child  and  Family  Services  Authorities  use  this 
model. 


Why  this  is  important  to  Albertans 

Agencies  affect  all         Services  offered  by  agencies  affect  all  Albertans.  They  rely  on  agencies  to 

protect  the  public  interest  in  many  business  sectors.  CEOs  are  the  primary 
contact  between  agencies  and  their  governing  body,  the  board.  CEOs  are  often 
the  public  face  of  an  agency.  They  set  the  tone  for  an  agency,  with  a  key  role  in 
developing  strategic  direction,  advising  the  board,  and  overseeing  operations. 
CEOs  strongly  influence  the  quality  of  programs  and  services  that  agencies 
deliver. 


CEO  selection  is 
most  important 


A  board's  most  important  decision  in  terms  of  a  CEO  is  selection.  Evaluations 
help  improve  CEO  performance.  Compensation,  while  of  much  public  interest 
and  comment,  attracts,  motivates,  and  retains  a  CEO. 


Boards  answer  to 
Ministers 


Government  role: 
guide  and  train 
boards  and  hold 
them  accountable 


Government  to 
provide  guidance 


Boards  are  accountable  to  Ministers.  Albertans  rely  on  Ministers  to  ensure 
boards  fulfill  their  governance  responsibilities,  including  selecting,  evaluating, 
and  appropriately  compensating  their  CEO.  An  effective  accountability  process 
is  vital  to  ensure  that  agencies  are  well  governed,  and  Albertans  are  well  served. 

What  we  recommended 

The  government  has  a  role  in  helping  boards  implement  policies  and  systems 
that  conform  to  good  practice.  It  can  do  this  through  guidance  (recently  made 
more  accessible  with  the  new  Agency  Governance  Secretariat)  and  training. 
Government  ministers  must  hold  boards  accountable.  To  do  this,  they  need 
information  from  boards.  The  following  steps  will  improve  support  to  boards 
and  help  ministers  hold  boards  accountable: 

•     Government  needs  to  provide  guidance  to  agencies  and  departments  in  the 
areas  of  CEO  selection,  evaluation  and  compensation. 
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Agency 
Governance 
Secretariat  to  get 
information  from 
agencies 


Treasury  Board 
role:  improve 
disclosure 


•     Agency  Governance  Secretariat,  on  behalf  of  Ministers,  needs  to  obtain 
annual  information  from  agencies  on  CEO  evaluation  and  compensation 
processes  to  assess  if  good  practices  are  consistently  followed.  This  will 
help  ministers  hold  boards  accountable  for  their  decisions. 

The  Ministry  of  Treasury  Board  needs  to  consider  improving  public  disclosure 
of  CEO  compensation  by  applying  new  disclosure  requirements  for  private- 
sector  compensation  to  the  Alberta  public  sector. 


Use  formal 

compensation 

policy 


Base  target 
compensation  on 
comparator  group 


Use  broad 
comparator  group 


Consider  public- 
sector  CEO  rates 


Include  at  least  12 
agencies  in  group 


Ensure  no 
conflicts  of 
interest 


Boards  need  to  improve  systems  to  select,  evaluate,  and  compensate  CEOs  by: 

•  preparing  and  adopting  integrated  CEO  recruitment  and  succession  policies 
and  plans.  Boards  need  current  position  descriptions  for  CEOs  and  should 
review  them  annually. 

•  conducting  annual,  comprehensive  evaluations  of  their  CEO's 
performance. 

•  preparing  and  adopting  a  formal  executive  compensation  policy  for  CEOs. 
The  policy  should  require  the  compensation  committee's  decision  and 
rationale  on  CEO  compensation  to  go  to  the  full  board  for  approval.  It 
should  also  provide  clear  direction  for  calculating  variable  pay  . 

•  setting  the  target  for  CEO  compensation  using  a  peer-group  comparison, 
and  being  consistent  with  good  compensation  practices.  Boards  should 
provide  clear  reasons  for  adjustments  beyond  the  target  and  use  a 
comparator  group  that  meets  the  following  criteria: 

•  The  make-up  of  the  CEO  peer  group  should  be  broad-based  to  include 
comparators  of  similar  size  and  complexity,  locally,  or  from  a  different 
industry  that  the  agency  may  have  recruited  from  or  lost  executives  to 
recently. 

•  The  comparison  should  include  data  on  Alberta  public-sector  CEO 
compensation  rates  to  ensure  that  recommended  compensation  is  fair 
to  the  CEO,  the  board,  stakeholders  and  Albertans. 

•  The  comparator  group  should  be  large  enough  to  provide  sufficient 
information — when  possible,  at  least  12  organizations. 

•  ensuring  that  external  CEO  compensation  advisors  report  directly  to  the 
board  or  the  appropriate  board  committee. 

•  receiving  full  information  on  the  nature  of  any  current  or  prior  (within  the 
past  12  months)  work  performed  by  management  advisors,  along  with  their 
fees,  and  then  assessing  whether  the  consultant  is  free  of  conflicts  of 
interest. 


2  Variable  pay  is  known  as  pay-at-risk,  bonus  or  incentive  pay 
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Are  systems  to 
hire,  assess  and 
pay  agency  CEOs 
working? 


2.  Audit  objectives  and  scope 

Our  objective  was  to  determine  if  the  systems,  including  relationships  with 
departments  and  Ministers,  used  in  the  Alberta  public  sector  to  select  and 
evaluate  CEOs  for  agencies,  and  to  set  CEO  compensation,  are  working 
satisfactorily.  For  this  audit,  "working  satisfactorily"  means  meeting  the  criteria 
in  this  report. 


How  we  selected  \/\je  selected  61  agencies  in  this  audit  (see  Appendix  A)  from  the  ones  on  the 

agencies  for  audit         Board  Governance  Review  Task  Force  Agency  Inventory — October  2007.  The 

61  agencies  selected  are  all  board  governed  organizations  that  operate  under  the 
leadership  of  a  CEO.  In  all  subject  areas,  we  considered  systems  employed  by 
relevant  board-governed  organizations  and,  if  appropriate,  related  government 
departments.  For  the  compensation  part  of  the  audit,  we  also  examined  public 
disclosure. 


Our  actions  j0  perform  the  audit,  we: 

1.  reviewed  information  on  practices  in  other  Canadian  jurisdictions. 

2.  reviewed  board-governance  literature  on  topics  covered  by  the  audit. 

3.  used  a  questionnaire  to  obtain,  from  all  organizations  in  the  audit, 
information  on  CEO  selection,  evaluation  and  compensation  systems. 

4.  examined  information  used  to  decide  which  organizations  to  interview. 

5.  interviewed  key  members  of  the  board,  CEOs,  and  relevant  department 
officials  of  selected  organizations. 

6.  interviewed  or  received  written  responses  to  enquiries  from  government 
departments  in  the  same  ministry  as  the  agencies  included  as  part  of  the 
audit. 


Board  members 
appointed 


3.  Background 


Board-governed  agencies  are  authorized  under  legislation  to  deliver  a  wide 
range  of  services.  In  all  cases,  either  all  or  a  majority  of  board  members  are 
appointed  by  the  Lieutenant  Governor  in  Council  or  a  minister  to  oversee  the 
delivery  of  high  quality  services  according  to  agency  mandates.  The  ability  and 
capacity  of  agencies  to  deliver  services  is  directly  affected  by  the  CEO  chosen 
to  lead  them.  As  a  result,  we  have  examined  the  systems  that  agencies  have 
established  to  select  and  evaluate  their  CEO  and  to  determine  CEO 
compensation.  Oversight  of  the  CEO  is  a  significant  governance  responsibility 
of  boards. 


At  a  Crossroads 
report  considered 


The  report,  At  a  Crossroads,  issued  by  the  Board  Governance  Review  Task 
Force  included  recommendations  specific  to  the  topics  this  audit  covers.  We 
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considered  the  Task  Force's  recommendations  and  any  proposed  action  by  the 
government  in  formulating  recommendations  to  improve  any  system 
deficiencies  the  audit  identified. 


Focus  of  our 
review:  board 
systems  to  hire, 
assess  and  pay 
CEOs 


System  quality 
varies  with  agency 


Our  audit  focused  on  the  systems  that  support  the  responsibility  of  agencies  in 
recruiting,  evaluating  and  compensating  their  CEOs.  Such  systems  are 
fundamental  to  good  governance  and  require  agencies  to  use  a  thoughtful  and 
comprehensive  approach  so  that  the  ultimate  decisions  are  supportable  and 
sensitive  to  government  expectations.  Thus,  we  examined  the  basis  for  such 
decisions,  whether  or  not  a  planned  approach  was  used,  how  clearly 
expectations  and  criteria  were  identified  in  terms  of  processes  used,  and 
whether  the  processes  resulted  in  a  sense  of  full  board  ownership. 

4.  Conclusions 

The  scope  of  our  audit  was  sufficiently  broad  for  us  to  conclude  that  agencies 
need  guidance  on  meeting  good  practices  in  selecting,  evaluating  and 
compensating  CEOs.  Now  that  the  Agency  Governance  Secretariat  is 
established,  the  government  is  well-positioned  to  provide  the  guidance 
that  agencies  need  to  assess  whether  they  are  meeting  today's  good  practices 
and  to  bring  all  agencies  to  a  minimum  standard.  For  CEO  selection,  evaluation 
and  compensation  system  changes  to  take  hold  in  individual  agencies,  and  for 
accepted  practices  to  be  maintained  in  the  Alberta  public  sector,  requires  three 
distinctly  separate,  yet  interrelated,  actions:  clear  guidance;  agency  self- 
assessment;  and  evaluation  of  the  quality  of  the  accountability  information 
provided  to  ministers. 

5.  Recommendations 

5.1  Guidance 

Recommendation  No.  1 

We  recommend  that  the  Deputy  Minister  of  Executive  Council  through  the 
Agency  Governance  Secretariat  assist  agencies  and  departments  by 
providing  guidance  in  the  areas  of  CEO  selection,  evaluation  and 
compensation. 


Role  of 
government 


Criteria:  the  standards  we  used  for  our  audit 

Government  (Executive  Council,  Departments  and  Corporate  Human 
Resources)  should  establish  and  communicate  policies  and  practices  for 
selecting,  evaluating  and  compensating  CEOs.  Systems  within  government 
(Executive  Council,  Department  and  Corporate  Human  Resources),  should 
conform  to  the  principles  in  our  criteria. 
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1 


Government 
guidance  would 
help 


Selection  systems 
we  expected 

Policies  and  plans 
missing 


Full  boards  not 
always  involved  in 
decision 


Evaluation 
systems  we 
expected 


Systems  did  not 
meet  expectations 


Evaluate 
performance 


Compensation 
systems  we 
expected 


Our  audit  findings 

Guidance — we  did  not  find  comprehensive  government  guidance  to  agencies 
on  CEO  selection  policies  and  practices,  CEO  evaluation,  and  compensation 
matters.  Given  the  variety  of  approaches  taken,  such  guidance  would  produce 
an  overall  improvement  in  these  systems. 

Systems  to  select  CEOs — we  expected  that  boards  would  state — through 
policies  and  plans — the  approach  they  will  take  to  select  a  CEO  and  manage 
succession.  We  found  that  boards,  particularly  outside  the  post-secondary 
education  sector,  did  not  establish  policies  and  plans  for  selecting  a  CEO.  Also, 
boards'  focus  on  succession  was  on  emergency  replacement  of  the  CEO. 

Boards  that  selected  a  CEO  in  the  last  few  years  typically  used  recruitment 
professionals,  identified  appropriate  candidates,  and  used  due  diligence  in 
evaluating  candidates.  However,  in  a  few  cases,  boards  as  a  whole  were  not 
sufficiently  involved  in  the  final  decision. 

Systems  to  evaluate  CEOs — we  expected  systems  to  require  a  consistent, 
annual  comprehensive  evaluation  of  the  CEO.  These  systems  should  provide 
both  qualitative  and  quantitative  feedback  on  CEO  performance,  considering 
relationships  with  key  stakeholders,  achievement  of  board-approved  business 
plans  and  characteristics  such  as  leadership  and  board  relations.  We  also 
expected  that  evaluations  would  be  anchored  in  a  clearly  defined  and  current 
position  description. 

All  boards  did  some  evaluation.  However,  some  boards  do  not  have  their 
appraisal  approach  in  policy,  some  approaches  did  not  require  a  comprehensive 
evaluation,  and  others  vary  from  year  to  year.  Systems  that  did  not  require  a 
comprehensive  evaluation  did  not  consider  relationships  with  key  stakeholders 
or  characteristics  such  as  leadership.  Also,  few  agencies  had  current  CEO 
position  descriptions. 

Using  a  current  CEO  position  description,  together  with  the  board's  targets, 
significantly  improves  the  quality  of  evaluation.  Improved  evaluations  will  also 
help  boards  make  annual  compensation-adjustment  decisions  related  to 
performance.  * 

Systems  to  determine  CEO  compensation — we  expected  that  Boards  would 
receive  objective,  relevant  information  on  compensation  trends  that  balanced 
the  reality  of  their  industry  and  that  of  the  Alberta  public  sector.  Skilled 
professionals  would  develop  this  information  and  be  free  of  conflict  of  interest 
in  doing  so. 
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Comparator 
groups  not  diverse 

Possible  conflicts 
with  consultants 


Wide  range  of 
benefits  for  CEOs 


Most  boards  where  the  CEO  was  an  employee  of  the  agency  used  peer- 
comparator  models  to  assess  market  trends.  However,  not  all  peer  groups  were 
sufficiently  diverse.  Also,  in  a  few  cases,  the  target  rate  for  compensation  was 
in  the  upper  quartile  of  peer  groups.  Consultants  contracted  for  these  services 
also  delivered  other  services  to  agency  management,  increasing  the  risk  of 
undue  influence  from  management.  In  other  cases,  human  resources 
departments  that  reported  to  the  CEO  developed  the  data. 

We  found  a  wide  range  of  benefits  provided  to  CEOs,  particularly,  termination 
benefits  and  supplemental  retirement  plans.  As  expected,  the  form  of  variable- 
pay  model  used  varied.  In  some  cases,  the  rationale  for  the  selected  variable- 
pay  model  was  not  clear.  And  the  full  board  was  not  always  involved  in  the 
compensation  decision. 


Implication  and  risks  if  recommendation  not  implemented 

If  CEO  selection,  evaluation  and  compensation  guidance  is  not  provided,  the 
quality  of  decisions  by  boards  of  directors  in  this  area  will  continue  to  vary 
across  the  Alberta  public  sector  and  may  not  be  appropriate. 

5.2  Accountability 

Recommendation  No.  2 

We  recommend  the  Agency  Governance  Secretariat,  on  behalf  of 
Ministers,  annually  obtain  information  from  agencies  on  CEO  evaluation 
and  compensation  processes  to  assess  if  good  practices  are  being 
consistently  followed.  The  results  of  these  systems  assessments  should  be 
reported  to  Ministers,  who  should  then  hold  boards  of  directors 
accountable  for  their  decisions. 


Board  members 
accountable  to 
minister 

Ministers  need 
information 


Background 

The  majority  of  provincial  agencies'  board  members  are  appointed  by  the 
government  and  are  fully  and  formally  accountable  to  the  relevant  minister. 
Ministers  need  information  to  fulfill  their  duty  to  hold  the  board  accountable. 
The  information  needed  by  a  minister  may  come  directly  from  a  board  chair, 
through  the  department  or  through  the  Agency  Governance  Secretariat.  In  part, 
board  chairs  meet  their  obligations  through  formal  documentation,  such  as  a 
memorandum  of  understanding  requiring  the  filing  of  business  plans  and  annual 
reports.  They  also  informally  advise  the  Minister  on  critical  matters  as  these 
arise. 


Government 

established 

Agency 


Recently  the  government  responded  to  the  2007  report,  At  a  Crossroads,  by 
establishing  the  Agency  Governance  Secretariat  in  the  Department  of  Executive 
Council,  under  the  Deputy  Ministry  of  Executive  Council.  The  Report  stated 
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Governance 
Secretariat  to 
improve 
governance 


that  the  Secretariat  should  provide  coordination  and  overall  support,  and 
promote  continuous  improvement  in  good  governance.  The  Secretariat  has 
issued  polices  and  guidance  on  a  number  of  governance  subjects  since 
inception.  These,  and  other  information,  are  available  on  the  Secretariat  website 
(www.alberta.ca/home/729.cfm) . 


The  systems  we  examined  operate  within  the  broader  definition  of  roles  and 
responsibilities  for  the  minister,  department,  and  agency.  As  part  of  the 
response  to  the  report,  At  a  Crossroads,  the  government  issued  the  Public 
Agencies  Governance  Framework.  The  government  comments  on  roles  and 
responsibilities  in  Section  5  of  the  Framework,  where  it  says  that,  "Clear 
statements  about  roles  and  responsibilities  that  are  reviewed  and  regularly 
accepted  by  the  highest  level  of  agency  and  ministry  are  essential  for  good 
governance."  We  agree — our  recommendations  assume  that  this  framework 
will  be  implemented. 

Criteria:  the  standards  we  used  for  our  audit 

Ministers  should  hold  boards  accountable  for  CEO  selection,  evaluation  and 
compensation  decisions.  Government  should  obtain  and  evaluate  information 
on  CEO  selection,  evaluation  and  compensation  systems  to  support  Ministers. 
Provincial  agencies  should  provide  Ministers  with  relevant  information. 


Extent  of 
government's 
involvement  in 
agency  systems  to 
select,  hire,  pay 
CEO  varies 


Ministers  hold 
boards  responsible 


Minister 

represents  public 


Our  audit  findings 

The  government's  involvement  varies  considerably  in  CEO  selection, 
evaluation  and  compensation.  For  example,  boards  of  post-secondary  education 
institutions  are  empowered  to  select,  evaluate  and  determine  compensation  for 
the  CEO.  In  the  case  of  child  and  family  service  authorities,  the  deputy  minister 
has  the  final  say  on  selecting  and  evaluating  CEOs  and  setting  their 
compensation.  It  is  a  policy  choice  of  the  government  as  to  how  much  power  to 
delegate  to  a  board. 

Ministers  are  responsible  to  hold  boards  accountable  for  their  decisions, 
including  decisions  to  select,  hire  and  pay  their  CEO.  Greater  delegation  of 
authority  requires  stronger  accountability.  This  does  not  mean  that  the  Minister 
takes  on  the  role  of  the  Board.  Instead,  it  means  that  questions  will  be  asked  and 
meaningful  answers  are  expected.  Boards  must  feel  that  they  will  be  held 
accountable  for  their  decisions,  including  decisions  to  select,  hire  and  pay  their 
CEO.  In  the  private  sector,  shareholders  have  exercised  their  authority  as 
owners  to  improve  board  accountability.  In  the  public  sector,  the  minister  is  the 
proxy  for  the  shareholder  (the  taxpayer) . 
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Agencies  not  clear 
on  type  or 
frequency  of 
contact  to  have 
with  government 


Two  departments 
take  no  role  in 
CEO  selection, 
evaluation  and 
compensation 


One  department 
more  involved 


Both  government 
and  agencies  need 
to  clarify 
expectations  for 
dealing  with  CEO 


Agencies 
frustrated  with 
lack  of  central 
support 


A  number  of  agencies  are  unclear  on  how  significant  their  linkage  to  the 
government  is  (or  should  be)  and  thus  how  frequently  they  should  be  in  contact 
and  on  what  issues.  Agencies  are  instruments  of  government  policy,  created  to 
deliver  government  services  that  the  government  decided  were  better  delivered 
by  an  agency  than  a  department.  Only  some  agencies  felt  that  regular  contact 
with  the  government  on  CEO  selection,  evaluation  and  compensation  was 
appropriate. 

The  departments  of  Advanced  Education  and  Technology,  and  Health  and 
Wellness  told  us  that  they  had  no  role  in  agency  CEO  selection,  evaluation,  and 
compensation.  They  do  not  routinely  receive  information  on  the  full  CEO 
compensation  arrangements,  relying  instead  on  salary  disclosure  in  financial 
statements.  During  the  course  of  the  audit,  we  learned  that  the  Department  of 
Health  and  Wellness  asked  for  and  received  copies  of  the  then  CEO  contracts. 

The  Department  of  Finance  and  Enterprise  has  five  agencies  which  were 
included  in  our  audit.  Its  minister  support  systems  allowed  it  to  advise  the 
minister  about  CEO  selection,  evaluation  and  compensation  decisions. 

Considering  the  responses  to  our  questionnaire  and  interviews,  we  conclude 
that  work  is  required  by  both  the  government  and  agencies  to  ensure  a  clear 
understanding  of  expectations  for  CEO  selection,  evaluation  and  compensation. 
The  understanding  of  some  boards  of  agencies,  or  their  CEOs,  of  what  they 
should  report  to  the  Minister  was  at  odds  with  effective  accountability  to  the 
Minister.  Some  of  this  occurred  over  time,  as  agencies  are  trying  to  find  their 
own  way.  Boards  can  exercise  considerable  independence  while  still  meeting 
their  obligations  for  accountability  to  the  Minister  through  their  ongoing 
reporting  of  relevant  issues,  such  as  CEO  selection,  evaluation,  compensation. 

In  a  few  cases,  agencies  highlighted  frustration  with  the  lack  of  any  central 
support  for  newly  created  boards  or  objective  compensation  information.  A 
recently  established  board,  whose  operations  were  previously  part  of  a 
department,  stated  that  it  had  little  notice  of  the  creation  of  the  agency.  Further, 
the  agency  was  established  with  limited  organizational  infrastructure.  As  a 
result,  it  has  spent  considerable  time  just  setting  up  administration,  in  addition 
to  meeting  core  responsibilities.  Two  years  after  start  up,  it  is  only  now  starting 
to  develop  a  full  range  of  board  policies.  Other  organizations  stated  that  they 
found  it  hard  or  expensive  to  acquire  comparative  and  reliable  compensation 
data. 
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Implication  and  risks  if  recommendation  not  implemented 

Without  uniform  independent  assessments  of  the  quality  of  agencies'  CEO 
evaluation  and  compensation  systems,  Ministers  may  not  hold  agencies  to  a 
common  standard  of  practice. 

5.3  CEO  compensation  disclosure 
Recommendation  No.  3 

We  recommend  that  the  Treasury  Board  consider  applying  the  new 
private-sector  compensation-disclosure  requirement  to  the  Alberta  public 
sector. 


Treasury  Board 
directive  requires 
disclosure  of 
compensation 


Disclosure  started 
in  1990s 


Private-sector 

disclosure 

proposal 


Background 

Treasury  Board  Directive  12-98  requires  Alberta  public-sector  organizations  to 
report  executive  compensation  and  prescribes  the  form  of  the  disclosure. 
Recommendation  13  in,  At  a  Crossroads,  the  Report  of  the  Board  Governance 
Review  Task  Force,  stated  that  "Remuneration  of  directors  and  CEOs  should  be 
disclosed  to  the  public." 

Salary  disclosure  started  in  the  mid-1990s  in  the  Alberta  public  sector.  Since 
then,  the  required  form  of  report  has  changed  several  times.  One  key  change 
was  to  model  it  more  closely  to  the  form  of  reporting  in  the  private  sector. 

On  February  22,  2008,  the  Canadian  Securities  Administrators  issued  a 
proposed  new  statement  on  executive  compensation,  to  come  into  effect  on 
December  31,  2008.  The  statement  requires  significantly  enhanced  disclosure 
of  private-sector  executive-compensation  arrangements  for  publicly  listed 
Canadian  companies.  Key  elements  of  the  disclosure  require  stating: 

•  the  objective  of  the  compensation  plan. 

•  what  the  compensation  program  is  designed  to  reward. 

•  each  element  of  compensation. 

•  why  the  organization  choose  to  pay  each  element. 

•  how  the  organization  determines  the  amount  (and,  where  applicable,  the 
formula)  for  each  element. 

•  how  each  element  of  compensation,  and  the  organization's  decisions  about 
that  element,  fit  into  the  organization's  overall  compensation  objective  and 
affect  decisions  about  other  elements. 


Disclosure 

improves 

accountability 


The  underlying  principle  of  the  Treasury  Board  Directive  is  improving  an 
organization's  accountability  for  the  compensation  decisions  and  increasing  the 
transparency  of  these  decisions.  Salary  disclosure  is  also  used  by  others  to 
compare  with  their  own  compensation  practices. 
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The  Treasury  Board  Directive  requires  salary  disclosure  to  be  included  in  the 
annual  financial  statements  of  organizations.  As  a  result,  the  salary  disclosure  is 
examined  as  part  of  the  annual  financial-statement  audit. 

Criteria:  the  standards  we  used  for  our  audit 

Compensation  reported  in  financial  statements  should  be  complete  and 
accurate. 


Variable  pay 
disclosure 


Pension  plan 
disclosure 


Termination 
benefits  disclosure 


Our  audit  findings 

We  examined  the  salary  disclosure  information  for  the  2007  fiscal  year  and 
considered  it  in  context  of  employment  arrangements  with  CEOs. 

In  a  number  of  cases,  compensation  packages  included  a  variable  pay 
component.  The  current  Treasury  Board  Directive  does  not  require  disclosure 
of  the  organization's  underlying  variable  pay  philosophy  or  a  description  of  the 
variable  compensation  arrangement. 

The  pension  or  supplemental  retirement  plans  requirement  in  the  2007  salary 
disclosure  does  not  contain  sufficient  information  to  allow  full  accountability  or 
comparison  among  agencies.  For  example,  a  number  of  agencies  provide  the 
CEO  with  two  pension  plans:  a  public-sector  plan  and  a  supplemental 
retirement  plan.  Expanded  reporting  is  required  only  for  the  supplemental  plan. 
Where  a  CEO  is  not  part  of  a  public-sector  plan,  some  agencies  provide  the 
CEO  with  a  unique  plan  normally  defined  in  the  contract  or  by  board  policy.  It 
is  not  clear  in  the  required  disclosure  that  this  plan  differs  from  other 
supplemental  retirement  plans,  even  though  it  is  reported  under  this  heading. 

A  number  of  contracts  provide  for  benefits  to  be  paid  to  a  CEO  on  termination. 
In  some  cases,  a  benefit  is  to  be  paid  even  if  the  CEO  initiates  the  termination. 
Termination  benefits  were  frequently  calculated  as  a  factor  of  base  salary;  in 
other  cases,  they  included  a  calculation  for  benefits.  In  at  least  one  case,  it 
included  an  estimate  of  the  average  bonus.  The  Treasury  Board  Directive  does 
not  require  disclosure  of  a  CEO's  entitlement  to  termination  benefits  or  the 
amount  of  the  benefits. 


Unique  benefits  CEOs  may  receive  benefits  in  the  form  of  a  special  mortgage  arrangement.  In 

disclosure  Qne  case  ^e  agenCy  agreed  to  cover  a  loss  on  the  sale  of  the  CEO's  home. 

While  salary  disclosure  requires  the  reporting  of  either  non-cash  or  other  cash 
benefits,  if  there  is  a  current-year  cost,  these  unique  benefits  are  not  sufficiently 
described  in  the  financial  statements. 
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Salary  disclosure 
does  not  allow  full 
accountability  or 
comparison 


Inconsistencies  in 
reporting 


Vacation  credits 
can  inflate  salary 
and  impede 
accurate 
comparison 


In  our  opinion,  current  salary  disclosure  does  not  provide  for  full  accountability 
or  comparison.  Updating  the  Directive  to  consider  the  new  private-sector 
standards  will  allow  all  aspects  of  a  CEO's  compensation  and  their  costs  to  the 
organization  to  be  presented  in  a  single,  easy-to-read  statement.  This  will 
ensure  that  stakeholders  understand  the  total  compensation  provided. 

Financial-statement  disclosure  notes  vary.  In  at  least  two  cases,  disclosures 
exceed  the  requirements  of  the  Directive.  For  health  authorities,  the  2007 
disclosure  did  not  comply  with  the  Directive;  this  was  corrected  in  2008.  We 
noted  some  reporting  inconsistencies  in  the  category  headings  where  bonuses 
and  honoraria  are  reported  as  part  of  "Salary"  or  separately  under  "Other  Cash 
Benefits".  Where  bonuses  and  honoraria  were  combined  with  base  salaries 
under  the  heading  of  "Salary  and  Honoraria",  the  aggregated  numbers  could  be 
misinterpreted  as  base  salary  by  anyone  who  uses  the  number  as  a  comparator 
to  assess  a  CEO's  salary. 

Also,  if  a  CEO  received  a  substantial  cash-out  for  unused  vacation  credits  in  a 
year,  this  amount  would  skew  or  inflate  the  CEO  base  salary  or  cash 
compensation.  This  misrepresentation  could  affect  CEO  salaries  given  that  a 
number  of  boards  and  CEOs  use  the  salary  disclosure  data  as  the  authoritative 
source  of  market  data  for  their  peer  groups  in  Alberta.  It  was  not  surprising, 
therefore,  that  several  chairs  expressed  a  concern  with  the  reliability  and 
comparability  of  salary-disclosure  information. 


Implication  and  risks  if  recommendation  not  implemented 

Boards  will  not  be  held  accountable  for  their  decisions  and  may  agree  to 
inappropriate  arrangements.  Users  of  the  information  will  not  have  sufficient 
information  to  properly  evaluate  compensation  arrangements  and  may  make 
inaccurate  assessments. 

6.  Recommended  practices 

These  recommended  practices  are  not  presented  as  recommendations  since  the 
Office  of  the  Auditor  General  does  not  expect  a  formal  response  from 
government. 

Systems  used  to  select,  evaluate,  and  compensate  CEOs  varied  in  quality  across 
the  organizations  we  examined.  We  believe  that  each  agency  should  examine 
their  CEO  selection,  evaluation  and  compensation  systems  and  the 
recommended  practices  to  decide  if  those  systems  could  be  improved. 
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6.1  Selection  of  CEO 

Recommended  practices 

Boards  of  directors  of  provincial  agencies  should  adopt  integrated  CEO 
recruitment  and  succession  policies  and  plans. 

Boards  of  directors  of  provincial  agencies  should  ensure  that  current  position 
descriptions  exist  for  the  CEO  and  that  they  review  the  CEO  position 
description  annually. 


CEO  as  only 
board  employee 


Boards  use  system 
to  find  candidates 


Background 

Governance  principles  hold  that  the  CEO  is  the  only  employee  of  the  board. 
This  is  based  on  the  belief  that  organizations  perform  best  when  there  is  a  clear 
separation  between  the  policy-setting  and  oversight  functions  of  the  governing 
body,  and  the  administrative  tasks,  including  accountability  for  and  supervision 
of  employees,  of  the  organization.  As  a  result,  CEO  selection  is  a  critical 
responsibility  of  a  board.  The  selection  of  the  CEO  sends  a  message  to  staff  and 
stakeholders  about  the  direction  the  organization  plans  to  take.  The  CEO  is 
expected  to  work  closely  with  the  board  to  define  the  strategic  direction  of  the 
organization,  and  the  board  then  holds  the  CEO  accountable  for  realizing  the 
organization's  plans. 

Boards  use  a  system  or  process  to  identify  and  evaluate  prospective  candidates. 
In  the  Alberta  public  sector,  the  more  autonomous  boards  establish  and  run 
their  own  process.  In  other  cases,  where  the  CEO  is  selected  jointly  by  the 
board  and  deputy  minister,  the  process  may  be  developed  by  the  government's 
Corporate  Human  Resources  group. 


Boards  have  to 
ensure  system  for 
succession 


Boards  are  also  responsible  to  ensure  that  an  appropriate  CEO  succession- 
management  system  is  in  place.  Succession  includes  being  able  to  appoint  an 
immediate  replacement,  typically  in  an  acting  capacity.  Also,  it  includes 
developing  internal  candidates  for  the  CEO  position.  An  effective  succession 
policy  and  plan,  based  on  appropriate  training  and  development  plans,  will  train 
current  employees  to  compete. 


Policy  to  identify 
and  assess 
candidates 


Criteria:  the  standards  we  used  for  our  audit 

The  selection  system  should  identify  the  most  appropriate  candidate. 

a)    A  recruitment  policy  should  be  established  to  objectively  identify  and 
evaluate  candidates.  The  board  role  must  include  confirming  criteria  for 
assessing  suitability  of  candidates  and  confirming  selected  candidates  or 
recommending  candidates  to  the  appointing  authority.  Policy  should 
require  establishing: 
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Process 


CEO  contract 


i)  criteria,  setting  out  skills  and  attributes  of  a  CEO,  to  assess  suitability 
of  candidates. 

ii)  an  objective  process  to  evaluate  candidates. 

b)  The  process  should  be  consistent  with  any  succession  plan  for  the  CEO. 

c)  The  policy  should  be  followed  in  the  recruitment  process. 

d)  The  CEO  contract,  which  sets  out  the  Board's  expectations  of  the  new 
CEO,  should  be  consistent  with  criteria  the  board  set. 


Most  agencies 
lack  recruitment 
policies  and  plans 


Chairs  don't  see 
need  for  policy 
and  don't  want  to 
bind  future  boards 


Preference  to  deal 
with  recruitment 
on  ad  hoc  basis 


Process  should 
explain  benefits  of 
a  plan 

HR  professionals 
used — board's 
role  varies 
considerably 


Our  audit  findings 

Recruitment  policies  and  plans — most  agencies  in  our  audit  that  select  a  CEO 
do  not  normally  establish  recruitment  polices  or  plans.  Those  with  policies  and 
plans  are  typically  post-secondary  education  institutions.  These  plans  are 
typically  comprehensive,  inclusive  of  various  stakeholders  and  formalized. 

In  interviews,  the  majority  of  board  chairs  stated  that  they  did  not  see  the  need 
to  prepare  a  policy  or  plan  until  the  board  needs  to  replace  the  current  CEO.  A 
few  board  chairs  argue  that  creating  a  policy  would  bind  a  later  board,  which 
they  believe  should  not  be  constrained  since  they  must  make  decisions  based  on 
current  needs.  However,  all  policies  need  to  be  reviewed  periodically  for 
relevancy.  Many  chairs  pointed  out  that  the  contract  required  the  CEO  to  give 
notice  of  a  decision  to  leave  far  in  advance  of  the  departure  date,  in  some  cases, 
as  much  as  12  months.  And  this  allows  time  to  deal  with  the  matter.  But  it  does 
not  replace  the  need  for  a  board  policy  or  plan. 

The  board  chairs  we  met  who  had  recruited  a  CEO  in  the  last  few  years  stated 
the  importance  of  an  open  competitive  process.  Such  a  process  allows  them  to 
assert  that  the  appointment  was  based  on  merit.  When  we  asked  boards  with  a 
long-standing  CEO  what  they  would  do  when  the  need  arose,  they  said  that 
they  would  pull  together  the  information  from  the  last  recruitment  or  they 
speculated  on  a  typical  process.  All  had  a  sense  of  what  they  would  do,  and  a 
policy  preference.  Articulating  the  board's  position  through  a  policy  and  plan 
informs  a  future  board  of  the  current  board's  view.  It  allows  lessons  learned 
from  a  current  recruitment  to  be  passed  on.  Also,  it  informs  stakeholders  and 
staff  of  the  board's  position  on  this  important  subject. 

In  all  cases  where  a  CEO  was  recently  selected,  the  board  used  a  recruitment 
professional.  Autonomous  boards  employed  external  consultants.  Agencies, 
where  the  board  recommends  an  appointment,  typically  use  Corporate  Human 
Resource's  Executive  Search  branch  or  a  departmental  human  resources 
division.  The  use  of  professional  assistance  is  a  good  practice.  However, 
considerable  variation  occurs  as  to  when  and  how  the  whole  board  is  involved. 
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Department 
process  used  when 
agency  and 
department  work 
together 


In  some  cases,  the  board  ratifies  the  recommendation  of  a  committee.  In  others, 
a  board  interviews  final  candidates  and  decides  on  the  appropriate  candidate. 

When  an  agency  and  department  shared  the  task  of  selecting  a  CEO,  the 
policies  and  process  followed  were  those  used  by  the  government  for  recruiting 
departmental  executives.  However,  there  was  considerable  variation  in  the 
practices  among  boards,  particularly,  the  role  of  the  board  in  the  decision- 
making process.  In  some  cases,  the  decision  was  made  by  the  chair  and  the 
deputy  minister.  In  other  cases,  the  full  board  made  the  decision  with  the  deputy 
minister.  In  one  case,  the  board  proposed  the  short  list  and  delegated  the  rest  of 
the  task  to  a  board  committee. 


Whole  board — not 
committee- 
should  decide  on 
CEO 


In  all  cases,  regardless  of  the  process  used  (delegating  selection  responsibility 
to  a  board  committee)  the  board  as  a  whole  should  decide  who  is  to  be  hired 
whether  under  its  own  authority  or  as  a  recommendation  to  the  Deputy,  or  the 
Minister.  This  is  arguably  the  most  important  task  of  a  board.  A  clearly 
articulated  policy  and  plan  should  set  out  how  the  board  as  a  whole  will  be 
consulted  and  if  it  is  to  have  a  greater  role,  such  as  interviewing  short-listed 
candidates. 


Boards  have 
policy  on 
emergency 
replacement  of 
CEO 


Various 

contracting 

practices 

Fixed  term 


Open  term 


Succession  policies  and  plans — most  boards  we  examined  have  considered  the 
question  of  succession.  In  virtually  all  cases,  they  have  determined  how  they 
will  react  to  an  emergency  need  to  appoint  an  acting  CEO.  Most  have  a  policy 
on  it.  However,  few  have  required  management  to  implement  planned 
processes  to  develop  internal  staff  to  compete  for  the  CEO  position.  We  found, 
in  some  instances,  thoughtful  approaches.  These  typically  start  with  articulating 
a  policy,  and  requiring  the  CEO  to  report  on  progress  to  the  Human  Resources 
Committee  or  equivalent.  A  good  succession  policy  integrates  with  the 
recruitment  policy,  while  recognizing  that  most  boards  endorsed  open 
competitions  as  the  preferred  recruitment  process.  In  our  opinion,  a  policy  and 
plan  which  places  the  emphasis  on  staff  development  rather  than  just  the 
designation  of  an  apparent  successor  are  needed. 

Contracts  state  expectations — different  approaches  were  taken  in  contracting 
with  the  successful  candidate.  The  most  common  is  that  of  entering  into  a 
contract  which  covers  a  fixed  term,  such  as  5  years.  Usually  this  contract  allows 
for  renewal.  In  a  few  cases,  the  agency  implemented  a  rigorous  process  to 
support  the  decision  to  enter  into  a  new  or  extended  contract.  In  these  cases,  the 
process  was  normally  set  out  in  policy. 

A  second  approach  is  to  enter  into  a  contract  that  has  no  time  limit  or  allows  for 
automatic  renewal.  Boards  argued  that  this  approach  allows  for  a  longer-term 
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commitment  by  both  parties  and  permits  compensation  commitments  unique  to 
the  CEO. 


Boards  have 
flexibility 


Board 

expectations  of 
CEO  often  not 
specified  in 
position 
description 


The  different  approaches  used  show  the  flexibility  boards  have.  A  board  can 
use  a  board-driven  strategic  view  as  to  how  it  will  formalize  its  CEO  selection. 

Expectations  of  a  CEO — The  CEO  contract  should  set  out  what  the  board  will 
expect  of  the  new  CEO.  Most  contracts  referred  to  expectations  of  a  CEO, 
though  many  were  general.  Some  boards  had  position  descriptions  setting  out 
expectations  of  the  CEO.  However,  in  a  majority  of  cases,  the  expectations  of 
the  CEO  position  were  not  set  out  in  a  position  description.  When  we  asked  for 
the  position  description,  we  were  given  the  position  profile  developed  to 
support  the  most  recent  recruitment.  In  some  cases,  these  were  several  years 
old. 


Position  descriptions  set  out  the  expectations  of  the  CEO,  support  CEO 
performance  evaluation,  and  assist  in  preparing  recruitment  documents.  A 
position  profile,  though  useful  to  the  recruitment  process,  does  not  negate  the 
need  for  a  comprehensive  position  description. 

Implication  and  risks  if  recommended  practices  not  followed 

Lack  of  clearly  articulated,  integrated  policies  and  plans  on  CEO  recruitment 
and  succession  could  result  in  the  best  candidate  not  being  selected.  Without 
clearly  articulated  expectations  based  on  a  comprehensive  approach  to 
developing  position  descriptions,  a  board  will  probably  find  it  more  difficult  to 
assess  CEO  performance. 

6.2  Evaluation  of  CEO 

Recommended  practice 

Boards  of  directors  of  provincial  agencies  should  conduct  an  annual 
comprehensive  evaluation  of  their  CEO's  performance. 


Board  assesses 
CEO 


Background 

A  critical  role  of  the  board  is  evaluating  CEO  performance,  which  serves 
several  useful  purposes,  such  as 

•  assessing  the  CEO's  performance  against  the  position  description  and 
board  targets. 

•  evaluating  the  relationship  of  the  board  with  the  CEO  and  the  areas  for 
improvement  in  that  relationship. 

•  evaluating  the  relationship  from  the  CEO's  perspective. 

•  reviewing  current  and  future  targets  for  the  CEO. 

•  discussing  organizational  health. 
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•     developing  personal  plans. 

Effective  CEO  evaluation  is  a  cornerstone  of  good  governance. 


CEO  needs  Board 
feedback 


Evaluation  should 
link  back  to 
expectations 


Criteria:  the  standards  we  used  for  our  audit 

Evaluation — the  system  should  provide  timely  relevant  feedback  on 
performance  of  the  CEO. 

a)  Policy  should  be  established  to  set  out  the  process  for  evaluating  CEO 
performance  and  to  provide  a  mechanism  for  delivering  the  evaluation.  The 
process  established  by  the  policy  should  highlight  the  need  to: 

i)  prepare  the  CEO  personal-performance  plan,  which  conforms  to  the 
contract,  expectations  of  the  board  and  any  other  relevant  party. 

ii)  allow  for  input  from  all  board  members. 

iii)  allow  for  input  from  other  parties  such  as  department  officials,  other 
managers  and  stakeholders. 

iv)  measure  performance  against  relevant  criteria,  and  the  CEO 
performance  plan. 

b)  Evaluation  communicated  to  the  CEO  should  be  consistent  with 
expectations  of  CEO  as  set  out  in  contract,  annual  personal  plans  and 
information  on  CEO  performance. 

c)  Development  opportunities  in  later  personal  plans  should  be  consistent 
with  the  evaluation. 


Boards  assess 
CEO  performance 
but  often  not 
comprehensive 


Our  audit  findings 

All  boards  carried  out  a  form  of  evaluation  of  their  CEO,  though  a  number  were 
not  comprehensive.  Many  stated  the  need  for  an  annual  evaluation  in  the  CEO 
contract.  Most  boards  have  the  evaluation  system  set  out  in  a  policy.  Others 
simply  state  that  one  is  needed  and  still  others  make  no  policy  reference  to  an 
annual  CEO  appraisal. 


Employee  CEOs 
subject  to 
department  system 


When  the  CEO  is  a  department  employee,  the  evaluation  system  is  generally 
based  on  what  government  departments  use  for  staff.  These  systems  had  many 
of  the  characteristics  of  a  good  system.  In  all  cases,  these  department  systems 
were  adapted  to  allow  an  opportunity  for  the  board  to  provide  input.  Each  board 
was  free  to  determine  how  it  gathered  this  information,  so  the  processes  varied. 


Much  variation 
among  boards 


Examples  of 
systems  boards 
use 


When  the  board  has  exclusive  authority  to  establish  and  perform  the  evaluation 
system,  the  approach  taken  varied  considerably  among  boards.  Following  are 
examples  of  systems: 

1.    The  board  established  an  evaluation  system  based  on  good  practice.  It 
includes  a  360°  survey,  personal  performance  plans,  and  board  members 
contributing  to  the  evaluation. 
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i 


Many  boards  reported  that  their  system  included  feedback  to  the  CEO 
during  the  year — formal  or  informal,  provided  by  the  Board  or  the  Chair. 
Some  boards  focused  exclusively  on  the  organizational  plan  to  assess  CEO 
performance. 

Certain  boards,  rather  than  doing  an  evaluation  as  a  board,  delegate  the  task 
to  a  board  committee  or  to  the  board  chair.  In  some  cases,  the  evaluation 
goes  to  the  board  for  discussion  before  it  goes  to  the  CEO.  In  a  few  cases, 
the  board  as  a  whole  is  not  involved  in  the  process. 
In  a  few  cases,  the  approach  to  CEO  evaluation  is  determined  each  year  by 
the  board  chair  or  a  committee.  The  information  is  then  gathered  and  a 
document  is  prepared  by  the  board  chair  or  a  committee.  In  these  cases, 
CEO  performance  plans  were  not  prepared. 

Results  of  the  CEO  evaluation  may  be  presented  to  the  CEO  by  the  board 
chair  and  committee  chair,  or  the  board  as  a  whole. 


Most  boards 
review  CEO 
objectives 


Trust  in  CEO  not 
questioned 


The  majority  of  boards  reviewed  the  CEO's  objectives  or  the  board's  business- 
plan  objectives.  While  considering  such  matters  as  achieving  stated  objectives 
is  obviously  critical  and  central  to  the  process,  the  level  of  confidence  and  trust 
by  the  board  in  the  CEO  generally  underlies  any  other  consideration.  When  we 
interviewed  board  chairs,  we  asked  them  if  they  had  asked  members  if  they 
(members)  had  trust  and  confidence  in  the  CEO.  In  virtually  all  cases,  the  board 
chair  did  not  ask  board  members  this  question. 


Some  post- 
secondary 
institutions 
rigorously  review 
CEO  performance 


In  the  post-secondary  education  sector,  we  observed  that  some  institutions 
require  a  rigorous  review  of  CEO  performance  before  renewing  the  contract. 
The  process  that  post  secondary  institutions  use  is  generally  more  rigorous  than 
other  organizations  use.  In  our  opinion,  it  shows  the  importance  of  the  decision 
to  extend  a  contract,  which  is  analogous  to  the  hiring  decision. 


In  only  one  case,  the  chair  stated  that  they  routinely  used  external  expertise  to 
assist  in  the  evaluation. 


Feedback  to  CEO 
in  various  forms 


Whole  board 
should  own  the 
evaluation 


We  observed  that  feedback  to  the  CEO  was  delivered  by  one  board  member 
(typically,  the  chair),  2  members  (typically,  the  board  chair  and  a  committee 
chair) ,  by  the  committee  responsible  for  the  evaluation,  or  by  the  board  chair  in 
the  presence  of  the  whole  board.  In  our  opinion,  the  key  to  the  process  is  not  the 
number  of  board  members  present,  but  to  ensure  the  evaluation  is  owned  by  the 
board  as  a  whole.  However,  at  a  minimum,  at  least  two  board  members  should 
conduct  the  feedback  session.  This  reduces  the  potential  of  partiality  or  bias  that 
may  occur  in  a  one-on-one  session. 
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Formal  CEO 

compensation 

policy 

Full  board 
approval 


Peer  group  for 
comparison 


Broad  group 


Public-sector 
comparison 


Large  group 


External  advisors 


Implication  and  risks  if  recommended  practices  not  followed 

The  absence  of  effective,  comprehensive  CEO  evaluation  systems  may  result  in 
ineffective  performance  by  agencies  and  failure  to  achieve  goals. 

6.3  Compensation  of  CEO 
Recommended  practices 

Boards  of  directors  of  provincial  agencies  should  prepare  and  adopt  a  formal 
CEO  compensation  policy.  The  policy  should  require  that  the  board  committee 
that  deals  with  CEO  compensation  forward  its  decision  and  rationale  to  the  full 
board  for  approval.  The  policy  should  provide  clear  direction  on  determining  all 
elements  of  total  compensation,  including  variable  pay  and  pension 
arrangements. 

Boards  of  directors  of  provincial  agencies  should  set  the  target  for  CEO 
compensation  by  comparison  with  a  peer  group  consistent  with  good 
compensation  practices.  Any  recommended  adjustment  beyond  the  target 
should  be  supported  by  a  clear  rationale. 

Boards  of  directors  of  provincial  agencies  should  ensure  that  the  comparator 
group  used  meets  the  following  criteria: 

•  The  make-up  of  the  CEO  peer  group  should  be  broadly-based,  include 
comparators  of  similar  size  and  complexity,  local  organizations  or  from  a 
different  industry  that  the  agency  may  have  recruited  from  or  lost 
executives  to  recently. 

•  The  comparison  should  include  data  on  Alberta  public-sector  CEO 
compensation  rates  (as  provided  by  the  Deputy  Minister  of  Executive 
Council)  as  a  reality  check  to  ensure  that  the  recommended  compensation 
package  based  on  market  peer  comparison  is  fair  to  the  CEO,  the  board, 
stakeholders  and  Albertans. 

•  The  comparator  group  should  be  large  enough  to  provide  sufficient 
information,  and  when  possible,  include  at  least  12  organizations. 

Boards  of  directors  of  provincial  agencies  should  ensure  that  external  CEO 
compensation  advisors  report  directly  to  the  board  or  the  appropriate  board 
committee,  and  fully  disclose  the  nature  of  any  current  or  prior  (within  the  past 
12  months)  work  performed  for  management  along  with  the  fees.  Directors 
should  assess  whether  the  consultant  is  free  of  conflicts  of  interest.  The  result  of 
this  assessment  should  be  recorded  in  the  minutes. 
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No  one  model  to 
set  CEO 
compensation 


Background 

Boards  decide  on  the  compensation  for  a  CEO  when  the  CEO  is  first  hired  and 
each  year  after.  Boards  balance  the  demands  on  the  CEO  with  fiscal 
responsibility.  Each  year,  Boards  invest  considerable  effort  deciding  the 
appropriate  adjustment  for  executive  compensation.  Also,  each  year  many 
independent  studies  comment  on  executive  compensation  trends.  In  making  the 
compensation  decision,  boards  consider  such  factors  as  the: 

•  performance  of  the  CEO. 

•  demands  of  the  position. 

•  risks  inherent  in  the  decision-making  of  the  CEO. 

•  history  of  the  board  and  its  past  judgments  on  CEO  compensation. 

•  competitive  marketplace. 

•  impact  of  salary,  benefits,  variable  pay  and  other  compensation. 


Many 

arrangements 

Base  pay 
Variable  pay 


Benefits 


Termination  pay 


Compensation  arrangements  include  a  wide  range  of  differing  approaches  and 
benefits.  For  example,  arrangements  may  include: 

•  Annual  base  salary. 

•  Variable  pay  (generally  takes  the  form  of  an  annual  lump-sum  payment 
called  a  bonus) ;  may  also  be  called  pay  at  risk,  performance  pay  or 
incentive  pay. 

•  Employee  benefits 

•  Normal  items  such  as  pensions,  insurance,  medical  coverage,  long 
term  disability,  vacation,  etc. 

•  Other  items  such  as  reimbursement  for  spousal  travel,  mortgage 
subsidy,  car  and  training  allowance. 

•  Termination  payment 

•  if  CEO  is  terminated  without  or  with  cause,  and  if  CEO  initiates  the 
termination. 


Peer  group  for 
comparison 


The  normal  approach  for  a  board  is  to  obtain  information  on  compensation 
arrangements  in  a  selected  group  of  organizations  (the  peer  group) .  Many 
boards  hire  compensation  consultants  to  gather  the  peer-group  information  and 
provide  advice.  However,  the  compensation  decision  must  be  made  by  the 
board  using  its  best  judgment.  The  factors  underlying  these  judgments  differ 
from  case  to  case  and  year  to  year.  Therefore,  compensation  paid  to  one  CEO 
may  differ  considerably  from  that  paid  to  another. 


Fairness  of 

compensation 

important 


The  fairness  of  the  compensation  arrangement  relates  to  the  appropriateness  of 
the  process  used  to  reach  it  and  the  rigor  of  board  discussion  in  assessing  that 
the  arrangement  is  fair  to  the  CEO  and  the  agency.  The  dollars  involved  are 
considerable  compared  to  salaries  paid  to  most  people.  In  the  end,  the  key 
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question  is  whether  the  board's  approach  to  setting  its  CEO's  compensation, 
and  the  resulting  compensation,  is  fair  and  reasonable. 


Board  should  set 
policy 


CEO  contract 
should  cover  all 
elements 


Criteria:  the  standards  we  used  for  our  audit 

Compensation — the  system  should  determine  fair  compensation  for  the  CEO. 

a)  The  board  should  establish  policy  for  setting  compensation  or 
recommending  compensation  to  the  appropriate  authority.  Compensation 
policy  should  be  reasonable  and  require  an  annual  compensation 
adjustment,  determined  by  the  appropriate  authority,  to  be  based  on 
evidence,  and  consistent  with  the  CEO  contract,  performance,  market,  and 
relevant  Alberta  public-sector  policies  and  practices. 

b)  The  contract  with  the  CEO  should  contain  all  elements  of  the  compensation 
package.  It  should  accurately  describe  the  annual  adjustment  process  and 
compensation  should  be  consistent  with  the  CEO  contract. 


Our  audit  findings 

Criterion  (a)  is  partly  met;  criterion  (b)  is  met.  In  section  5.1  of  this  report,  we 
make  a  recommendation  directed  to  the  government  for  it  to  improve  guidance 
on  subjects  covered  in  this  section.  This  guidance  will  help  boards. 


One-third  of 
agencies  lack  clear 
policy 

Three  approaches: 

Tied  to  deputy 
minister  pay 


Consultant  gives 
advice 


Employee  pay 
scale  used 


Compensation  policy — about  a  third  of  agencies  did  not  have  clearly 
articulated  compensation  policies.  In  addition,  the  approaches  to  determine 
compensation  are  quite  divergent.  These  approaches  fell  into  the  following 
three  categories: 


2. 


3. 


A  number  of  Boards  with  the  responsibility  to  determine  CEO 
compensation  decided  to  benchmark  the  CEO  compensation  arrangement 
and  annual  adjustment  to  deputy  ministers'  compensation. 
Other  Boards  with  the  responsibility  to  determine  CEO  compensation  have 
articulated  compensation  policies,  employ  a  Human  Resource  and 
Compensation  Committee  to  undertake  a  compensation  analysis,  and 
normally  engage  the  assistance  of  external  compensation  consultants  to 
provide  market  data  analysis  and  advice. 

Agencies  where  the  CEO  is  an  employee  of  the  department  conform  to  the 
Alberta  government  compensation  policy  and  processes. 


Lack  of  policy  a 
concern 


The  lack  of  a  clear  policy  in  agencies  that  have  the  duty  to  determine  their 
CEO's  compensation  is  a  concern.  As  discussed  below,  we  are  particularly 
concerned  with  practices  for  variable  pay,  CEO  severance  provisions,  market 
analysis  (peer  group  comparison),  and  supplemental  retirement  plans. 
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Some  decisions 
made  only  by 
chair  or  committee 
and  reported  to 
board 


In  most  agencies,  the  board  authorized  the  annual  compensation  adjustment.  In 
cases  where  a  minister  or  the  Lieutenant  Governor  in  Council  is  to  approve  the 
recommendation,  they  did.  Normally,  this  was  on  the  recommendation  of  a 
board  committee.  However,  in  some  cases,  the  decision  was  made  by  the  chair 
or  a  committee  and  only  reported  to  the  board  as  information.  In  our  opinion, 
setting  and  recommending  compensation  are  fundamental  governance 
responsibilities  that  should  be  made  by  the  full  board.  Policies  should  explain 
how  the  board  decision  will  be  made. 


Large  range  of 
variable  pay 


Examples 


Factors  if  variable 
pay  used 


Key  part  of  CEO 

compensation 

package 


Variable  pay — variable  pay  is  another  area  of  considerable  variety.  In  many 
cases,  CEO  compensation  includes  variable  pay.  In  other  cases,  agencies 
disagree  with  the  philosophy  of  this  form  of  compensation.  This  is  due  to  the 
differing  nature  of  agencies,  sector  practices,  and  compensation  philosophies  of 
boards  and  CEOs.  Some  boards  establish  performance  measures  as  the  basis  for 
CEO  performance  bonuses;  other  boards  do  not  have  any  objective  criteria  for 
granting  bonuses  to  CEOs,  and  as  a  result,  the  amounts  can  be  automatic  or 
arbitrary. 

Examples  of  different  arrangements  are: 

•  An  agency's  variable  pay  is  tied  to  the  evaluation  process,  which  started 
with  a  performance  plan  that  includes  clearly  defined  targets. 

•  An  agency  used  performance  to  determine  CEO  variable  pay  as  it  did  for 
all  staff.  " 

•  A  board  used  a  subjective  assessment  based  on  a  performance  appraisal 
and  organizational  success. 

•  A  Board  used  variable  pay  to  show  its  support  for  the  CEO. 

•  The  variable  pay  was  needed  to  ensure  that  the  overall  CEO  compensation 
package  was  considered  by  the  board  to  be  more  reasonable. 

In  our  opinion,  boards  need  to  carefully  consider  if  variable  pay  is  appropriate. 
If  they  decide  to  use  it,  they  should: 

•  identify  and  articulate  the  purpose  of  the  plan — is  it  to  reward  individual 
performance,  share  in  organizational  success,  or  a  blend  of  the  two? 

•  develop  an  objective  verifiable  methodology  for  setting  the  annual  amount. 

•  establish  targets  that  are  challenging  and  represent  real  measurable  change. 
Also,  exceeding  expectations  should  require  effort  that  is  far  beyond  what 
is  ordinary. 

•  stick  with  the  methodology  whether  the  result  is  positive  or  negative. 

CEO  severance  provisions — these  are  a  key  part  of  CEO  compensation 
packages.  Forty-nine  of  sixty-one  CEOs  of  surveyed  agencies  have  severance 
provisions  in  their  contracts.  The  remaining  12  did  not  report  any  information 
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on  severance  to  us.  Severance  provisions  vary  widely  from  3  to  30  months. 
Most  common  is  12  months. 


Includes  amount 
in  lieu  of  benefits 


BC  comparison 


Need  for  legal 
advice  on 
severance  in  lieu 
of  notice 


Voluntary 
departure 


In  at  least  6  of  the  CEO  contracts,  severance  pay  includes  an  amount  in  lieu  of 
benefits.  One  contract  includes  an  average  of  two  years  bonus  pay  as  part  of  the 
termination  package. 

By  comparison,  the  maximum  severance-in-lieu-of-notice  for  CEOs/presidents, 
deputy  ministers,  and  school  superintendents  in  British  Columbia  are: 

•  up  to  12  months  for  18  to  35  months  of  service  in  the  position. 

•  up  to  14  months  for  36  to  47  months  of  service  in  the  position. 

•  up  to  16  months  for  48  to  59  months  of  service  in  the  position. 

•  up  to  18  months  for  60  or  more  months  of  service  in  the  position. 

Boards  should  obtain  legal  advice  before  agreeing  to  severance-in-lieu-of- 
notice  provisions.  This  advice  will  help  boards  understand  current  common-law 
standards  and  potential  legal  costs.  Boards  will  then  need  to  balance 
information  on  costs  with  their  duty  to  be  fiscally  prudent  and  the  need  to 
attract  good  candidates. 

Some  contracts  have  a  provision  to  pay  severance  when  a  CEO  voluntarily  ends 
employment.  These  benefits  took  a  number  of  different  forms.  Examples  are: 

•  CEO  is  paid  12  months  base  salary,  plus  benefits  and  the  average  of  the 
highest  2  years  bonus  as  a  lump  sum. 

•  CEO  is  kept  on  salary  and  receives  benefits  for  a  fixed  period  after  leaving 
(12  to  24  months,  depending  on  terms  of  service)  for  "administrative"  or 
"Professional"  leave. 

•  CEO  is  paid  a  retirement  allowance  of  $2,000  for  each  year  of  service. 
Contract  recognized  36  years  of  service  as  the  starting  point  for  this 
calculation. 


Severance  for 

voluntary 

termination 


All  these  arrangements  are  the  product  of  a  negotiation  and  supported  by  some 
rationale  from  the  board  chair  and  CEO.  In  two  interviews,  the  rationale 
included  the  duty  to  maintain  a  precedent  or  the  need  to  provide  a  retention 
incentive.  In  the  post-secondary  education  sector,  severance  benefits  for 
voluntary  termination  are  in  lieu  of  sabbatical  entitlement.  We  were  unable  to 
determine  the  basis  for  such  a  wide  variety  of  practice  for  voluntary  termination 
benefits. 


Compensation 
based  on  external 
comparison 


Market  analysis  (peer  group  comparison) — the  annual  compensation 
decision  made  by  boards  on  annual  pay  is  based  on  the  contract  or  policy.  In  a 
number  of  cases,  the  CEO  compensation  is  adjusted  annually  by  an  amount 
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specified  in  the  contract.  Some  contracts  require  the  amount  to  match  the 
settlement  with  a  union.  In  others,  it  is  an  amount  the  board  considers 
appropriate.  In  these  cases,  the  board  arrived  at  an  annual  compensation  it 
believed  to  be  fair,  just  and  comparable  to  similar  positions  in  other  institutions 
or  among  a  peer  group.  Most  of  these  annual  reviews  are  primarily  driven  by 
external  market  comparisons  in  some  form,  meaning  that  most  CEO 
compensation  rates  and  adjustments  are  not  fully  linked  to  CEO  performance, 
even  when  boards  conduct  annual  evaluations. 


Peer-comparator 
group 


Most  boards  have 
list  of  comparator 
organizations 


Leap-frog  effect 
increases  pay 
continually 


Target  salaries 
above  50th 
percentile 


The  peer  comparator  group  is  a  list  of  outside  organizations  in  a  similar 
business  or  industry  and  of  a  similar  size  and  complexity  to  the  organization  in 
question.  This  list  is  used  to  benchmark  executive  compensation  levels  and 
compare  compensation  plan  structures. 

The  questionnaire  responses  by  the  various  boards  indicates  that  regardless  of 
whether  boards  have  a  formal  compensation  policy,  the  majority  of  boards  have 
a  list  of  comparator  organizations,  which  they  have  decided  is  a  reasonable 
comparison  group.  For  example,  a  list  may  include  similar  size  institutions  for 
the  colleges  within  Alberta,  similar  university  or  healthcare  organizations 
across  Canada  or  internationally,  private  sector  businesses  in  the  same  sector,  or 
similar  public-sector  organizations  in  other  jurisdictions. 

The  peer  group  model  has  been  criticized  as  the  cause  of  continued  upward 
ratcheting  in  executive  pay  as  organizations  strive  to  leap-frog  each  other 
against  the  ever-increasing  median  to  the  75th  percentile  pay  level. 

If  the  selected  organizations  for  the  peer  group  represent  the  high  payers  in  the 
marketplace,  then  the  compensation  arrangement  may  be  too  generous. 

A  recent  survey  by  two  national  consulting  firms  in  Canada  on  compensation 
policies  mostly  in  the  private  sector  shows  that  target  salaries  are  set  largely  at 
the  median  or  50th  percentile  among  organizations.  In  two  cases,  we  observed 
target  salaries  greater  than  the  median  (75%  and  90%  percentiles).  The 
selection  of  a  target  significantly  greater  than  50%  creates  the  risk  of  salary 
inflation. 


Consultants  and 
HR  people  need  to 
avoid  conflicts  of 
interest 


Independence  of  compensation  consultants — some  boards  engage  external 
consultants  to  assist  in  the  CEO  compensation-review  process.  This  practice  is 
consistent  with  good  board  governance.  However,  there  is  uncertainty  about  the 
ability  of  the  external  consultant  to  provide  independent  advice  when  the  same 
consultant  or  consulting  firm  provides  compensation  advice  or  other  services  to 
the  management  of  the  organization.  In  a  number  of  organizations, 
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compensation  information  was  developed  by  the  human  resources  staff.  These 
situations  present  a  higher  risk  of  conflict  of  interest. 

Supplementary  Retirement  Plans — in  our  2005-2006  Annual  Report,  on 
page  97,  we  recommended  that  the  Department  of  Finance  assess  the  annual 
and  cumulative  costs  and  risks  associated  with  Supplementary  Retirement 
Plans. 


Recommendation 
from  2005-06  not 
yet  implemented 

Unfunded  plans 
can  take  30-40 
years  to  pay  out 


Funding  of  plans 
to  substantially 
eliminate  financial 
risks 


This  recommendation  has  not  yet  been  implemented  by  the  Department  of 
Finance  and  Enterprise.  As  a  result,  we  again  saw  a  considerable  variety  of 
these  plans  in  agencies.  The  plans  represent  a  cost  to  each  agency,  and  in 
aggregate,  to  the  entire  public  sector.  In  one  case,  the  annual  cost  of  the  plan  is 
equal  to  the  annual  salary  paid  to  CEO.  In  a  number  of  cases,  the  plans  are 
unfunded  and  will  continue  to  be  a  burden  on  the  agencies  until  all  benefits  are 
paid  out — 30  to  40  years  for  some  plans. 

In  2008,  an  internal  report  prepared  by  the  Department  of  Finance  and 
Enterprise  recommended  that  the  Department  require  plans  to  be  funded  to 
eliminate  substantially  all  the  financial  risks  associated  with  the  plans.  Later  in 
2008,  the  Department  plans  to  update  the  internal  report  and  assess  its  options 
to  establish  funding  of  plans  as  a  good  practice  for  public-sector  organizations. 


Determining 
pension  earnings 


No  contribution 
needed 

Backdating 
several  years 


Indexing 


We  found  that: 

•  some  plans  are  true  supplemental  plans — they  are  in  addition  to  a  public 
sector  plan,  such  as  the  Local  Authorities  pension  plan;  in  other  cases,  they 
are  the  only  pension  plan  for  the  CEO. 

•  In  one  case,  earnings  for  pension  purposes  included  variable  pay  and  were 
based  on  the  average  of  the  highest  2  years.  In  a  typical  public  sector  plan, 
the  pension  is  based  on  annual  or  base  pay  that  excludes  variable  pay,  and 
uses  the  average  of  the  highest  5  years  base  salary. 

•  Unlike  the  supplemental  plan  for  department  management,  most 
supplemental  plans  in  agencies  do  not  require  employee  contribution. 

•  Some  supplemental  plans  brought  in  during  the  last  few  years  were 
backdated  to  the  implementation  of  the  pension  cap  by  the  federal 
government  in  the  early  1990s.  In  one  case,  the  backdating  was  28  years  at 
March  31,  2008 — even  though  the  CEO  joined  the  organization  in  1999. 
This  is  in  contrast  to  the  plan  established  for  departmental  management  that 
started  with  implementation  in  1999. 

•  Some  plans  did  not  provide  for  indexing  of  annual  pension  payments. 
Public  sector  plans  are  indexed  at  60%  of  cost-of-living  increases. 
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Form  of  plan 
complex  decision 


Different 

employment 

models 


•     One  plan  will  pay  the  CEO  each  year,  after  retirement,  $25,000  for  each 
year  of  employment. 

The  form  of  the  pension  plan  provided  to  a  CEO  is  a  complex  and  financially 
significant  decision.  Boards  need  both  flexibility  in  designing  a  plan  and 
guidance  in  deciding  what  is  acceptable  in  the  Alberta  public  sector. 

CEO  contracts — CEOs  have  different  employment  models:  some  are 
employed  directly  by  the  agency,  while  others  are  employees  of  the  relevant 
department.  Contracts  generally  include  all  compensation  components. 


Implication  and  risks  if  recommended  practices  not  followed 

Without  appropriate  policies  and  practices,  the  public  sector  risks  paying  too 
much  for  CEOs  or  having  difficulty  attracting  and  keeping  appropriate  qualified 
people. 
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Appendix  A: 

Entities  included  in  the  audit 


Advanced  Education  and  Technology 

Alberta  College  of  Art  and  Design 

Alberta  Heritage  Foundation  for  Medical  Research 

Alberta  Heritage  Foundation  for  Science  and 

Engineering  Research  (Alberta  Ingenuity) 
Alberta  Research  Council  Inc. 
Athabasca  University 
Bow  Valley  College 
Grande  Prairie  Regional  College 
Grant  MacEwan  College 

Informatics  Circle  of  Research  Excellence  (iCore  Inc.) 
Lakeland  College 
Medicine  Hat  College 
Mount  Royal  College 
NorQuest  College 

Northern  Alberta  Institute  of  Technology 
Northern  Lakes  College 
Olds  College 
Portage  College 
Red  Deer  College 

Southern  Alberta  Institute  of  Technology 
University  of  Alberta 
University  of  Calgary 
University  of  Lethbridge 
University  Technologies  Group 

Agriculture  and  Food 

Agriculture  Financial  Services  Corporation 

Children's  Services 

Calgary  and  Area  Child  and  Family  Services  Authority 
Central  Alberta  Child  and  Family  Services  Authority 
East  Central  Alberta  Child  and  Family  Services  Authority 
Edmonton  and  Area  Child  and  Family  Services  Authority 
Mci is  Settlements  Child  and  Family  Services  Authority 
North  Central  Alberta  Child  and  Family  Services  Authority 
Northeast  Alberta  Child  and  Family  Services  Authority 
Northwest  Alberta  Child  and  Family  Services  Authority 
Southeast  Alberta  Child  and  Family  Services  Authority 
Southwest  Alberta  Child  and  Family  Services  Authority 


Energy 

Alberta  Utilities  Commission 
Energy  Resources  Conservation  Board 

Finance  and  Enterprise 

ATB  Financial 

Alberta  Capital  Finance  Authority 

Alberta  Pensions  Administration  Corporation 

Alberta  Securities  Commission 

Credit  Union  Deposit  Guarantee  Corporation 

Health  and  Wellness 

Alberta  Alcohol  and  Drug  Abuse  Commission 
Alberta  Cancer  Board 
Alberta  Mental  Health  Board 
Aspen  Regional  Health  Authority 
Calgary  Health  Region 
Capital  Health 

Chinook  Regional  Health  Authority 
David  Thompson  Regional  Health  Authority 
Health  Quality  Council  of  Alberta 
Palliser  Health  Region 
Peace  Country  Health 

Seniors  and  Community  Supports 

Persons  with  Development  Disability  Community  Board 

-  Calgary 

Persons  with  Development  Disability  Community  Board 

-  Central 

Persons  with  Development  Disability  Community  Board 

-  Edmonton 

Persons  with  Development  Disability  Community  Board 

-  Northeast 

Persons  with  Development  Disability  Community  Board 

-  Northwest 

Persons  with  Development  Disability  Community  Board 

-  South 

Solicitor  General  and  Public  Security 

Alberta  Gaming  and  Liquor  Commission 


Employment,  Immigration  and  Industry 

Workers'  Compensation  Board  Sustainable  Resource  Development 

Natural  Resources  Conservation  Board 
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Information  technology  control 
framework 


Previous 
recommendation 


Comprehensive  IT 
control  framework 
critical  to  internal 
control 


Background 

In  our  April  2008  Report  (page  170),  we  made  the  following  recommendation: 

We  recommend  that  the  Ministry  of  Service  Alberta,  in  conjunction  with  all 
ministries  and  through  CIO  Council,  develop  and  promote: 

•  a  comprehensive  IT  control  framework,  and  accompanying  implementation 
guidance,  and 

•  well-designed  and  cost-effective  IT  control  processes  and  activities. 

A  detailed  description  of  IT  control  frameworks,  and  the  importance  of  using  them 
to  maintain  a  secure  IT  control  environment,  can  be  read  in  our  April  2008  Report, 
starting  on  page  167. 

An  IT  control  framework,  such  as  Control  Objectives  for  Information  and  Related 
Technology  (COBIT),  is  an  efficient  way  to  ensure  that  there  are  sufficient  and 
effective  controls  over  an  organization's  information  and  the  systems  and  processes 
that  create,  store,  manipulate,  and  retrieve  important  data.  COBIT  is  an  industry- 
recognized  best  practice  IT  control  framework,  developed  and  maintained  by  the 
Information  Technology  Governance  Institute.  COBIT  has  34  high-level  objectives 
and  2 1 1  individual  control  activities  that  give  senior  management  and  IT  users 
generally  accepted  measures,  indicators,  processes  and  best  practices  to  maximize 
IT  benefits  and  minimize  risks. 


Regular  risk 
assessments  make 
it  easier  to  use  IT 
control  framework 


IT  control 
framework 
integral  part  of 
internal  control 
program 


Conducting  a  risk  assessment  is  a  key  activity  required  by  control  frameworks,  and 
results  in  identifying  and  ranking  risks  by  determining  their  likelihood  and  impact. 
This  enables  effort  to  be  focused  on  developing  and  implementing  well-designed 
and  cost-effective  IT  control  processes,  and  is  ultimately  the  most  efficient  way  to 
preserve  the  security  and  integrity  of  an  organization's  information  and  systems. 

A  comprehensive  IT  control  framework  should  be  a  critical  part  of  every 
organization's  internal  control  program  to  mitigate  risks  and: 

•  provide  secure  programs  and  services  to  employees  and  Albertans. 

•  protect  the  confidentiality  and  security  of  information. 

•  ensure  that  systems  work  as  expected  and  are  available  when  needed. 
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Information  technology  control  framework 


Criteria:  the  standards  we  used  for  our  audit 

How  things  should   a  comprehensive  IT  control  framework  should  guide  the  development  and 

implementation  of  well-designed,  efficient,  and  effective  IT  control  processes  to 
mitigate  identified  risks  and  to  provide  efficient  and  secure  programs  and  services. 

Our  audit  findings 

Recommendations    We  continued  our  examination  of  the  quality  of  IT  controls  in  government 

organizations,  and  the  extent  to  which  they  had  adopted,  and  were  following,  an  IT 
control  framework.  We  made  recommendations  in  our  management  letters  to  the 
following  organizations  as  they  did  not  have  an  adequate  IT  control  framework  in 
place: 

•  Alberta  Heritage  Foundation  for  Science  and  Engineering  Research 

•  Department  of  Finance  and  Enterprise 

•  Alberta  Investment  Management  Corporation 

•  Alberta  Pensions  Administration  Corporation 

•  Alberta  Securities  Commission 

•  Ministry  of  International  and  Intergovernmental  Relations 

•  Solicitor  General  and  Minister  of  Public  Security 

•  Alberta  Gaming  and  Liquor  Commission 

•  Tourism,  Parks,  Recreation  and  Culture 


Implications  and  risks  if  recommendation  not  implemented 

Without  an  adequate  IT  control  framework,  management  cannot: 

•  know — or  show  that  it  knows — the  risks  to  the  organization's  information 
systems  and  data. 

•  implement  efficient  and  cost-effective  IT  controls  to  effectively  mitigate 
unknown  risks — or  ensure  the  organization  meets  all  its  business  goals 
efficiently  and  effectively. 

•  rely  on  the  organization's  data,  applications,  or  systems  to  provide  complete, 
accurate,  timely  and  valid  information. 


52 


Report  of  the  Auditor  General  of  Alberta— October  2008 


Cross-Ministry  Protecting  information  assets 


Protecting  information  assets 


Central  security 
office  needed  for 
IT  security  across 
government 


1 .  Central  security  office 


Recommendation  No.  4 

To  secure  the  Government  of  Alberta's  information,  we  recommend  that 
Executive  Council  ensures  that  a  central  security  office  is  immediately 
established  to  oversee  (develop,  communicate,  implement,  monitor  and 
enforce)  all  aspects  of  information  security  for  organizations  using  the 
government's  shared  information-technology  infrastructure. 


Government 
responsible  to 
protect 
information 


Background 

The  Government  of  Alberta  (GoA)  manages  large  volumes  of  highly  sensitive 
and  confidential  information  that  is  vital  to  the  GoA's  business  operations.  This 
includes  corporate  financial  data,  ministry-specific  business  information,  and 
the  personal  data  of  Albertans  (for  instance,  health  care  records  and  drivers' 
license  data).  Not  only  does  the  government  have  a  responsibility  to  safeguard 
this  information,  it  is  required  by  legislation  {Freedom  of  Information  and 
Protection  of  Privacy  Act,  Section  38)  to  "...  protect  personal  information  by 
making  reasonable  security  arrangements  against  such  risks  as  unauthorized 
access,  collection,  use,  disclosure  or  destruction". 


All  this  information  is  stored  in  electronic  form,  and  resides  on  servers  (see 
section  5:  Glossary),  either  within  the  ministries  or  at  shared  data  centres. 


Three  different 
audits 

Web  applications 


Wireless 
connections 

Direct  connections 


This  combined  report  focuses  on  three  separate,  but  related,  systems  audits  that 
deal  with  different  ways  in  which  data  can  be  accessed: 

•  a  web  application  that  retrieves  data  from  a  server  in  response  to  requests 
received  from  an  Internet-facing  application  {Web  application  and  network 
security) . 

•  a  wireless  connection  that  allows  access  to  a  network  on  which  a  server 
resides  ( Wireless  access  point  security) . 

•  a  direct  connection  with  a  server  {Protection  of  data  facilities). 


It  is  possible  to  use  any  of  these  methods  to  access  government  information. 
Without  adequate  protection,  attackers  will  focus  on  the  path  of  least  resistance 
(with  the  weakest  controls)  to  gain  unauthorized  entry  to  the  system. 
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Protecting  information  assets 


Key  problem:  no 
central  authority 
for  government- 
wide  IT  security 


Our  audit  findings 

We  reviewed  three  sets  of  access  controls:  one  for  each  of  the  three  ways  to 
access  data.  Each  separate  audit  report  highlights  a  lack  of  surveillance  and 
detection.  The  overall  impact  to  the  GoA  is  magnified  when  the  results  are 
combined.  The  most  worrisome  conclusion  from  our  work  is  that  there  is  no 
integrated  approach  to  ensuring  the  security  of  the  GoA.  No  one  single  GoA 
function  has  the  authority  and  responsibility  to: 
design  security  for  the  government  as  a  whole. 

evaluate  the  effect  of  weak  security  in  one  part  of  the  government  and  its 
impact  on  the  rest. 

detect  attempted  intrusions  or  respond  to  potential  security  threats  across 
the  GoA. 

continually  monitor  the  GoA  for  threats  and  vulnerabilities  and  develop 
remediation  plans. 

enforce  the  solutions  required  to  keep  the  GoA  secure. 


Inadequate  IT 
security 


No  one  person  in  the  Government  of  Alberta  has  been  given  the  ultimate 
authority  and  responsibility  for  information  security.  As  each  entity  has  the 
responsibility  to  manage  its  own  information  technology  (IT)  policies,  practices 
and  infrastructure,  security  across  the  government  is  inconsistent,  varying  from 
entity  to  entity.  And  information  security  is  only  as  strong  as  the  weakest  link — 
if  one  part  of  the  organization  doesn't  have  adequate  security  controls  in  place, 
other  parts  of  the  organization  can  be  exposed,  regardless  of  whether  or  not  they 
have  well-designed  security  controls.  Because  information  security  in  the  GoA 
is  not  consistently  enforced,  all  information  assets  in  the  GoA  are  exposed  to 
unacceptable  risk. 


Service  Alberta 
provides  shared 
infrastructure  but 
has  no  authority 
over  other  entities 


Service  Alberta  provides  a  suite  of  services — shared  computing  infrastructure — 
to  government  organizations.  Service  Alberta  is  responsible  to  ensure  the  shared 
infrastructure  is  secure  and  reliable.  However,  Service  Alberta  does  not  have 
the  authority  to  ensure  that  organizations  using  the  shared  infrastructure  meet 
minimum  baseline  security  requirements  within  their  own  computing 
environments. 


Decentralized  IT 
approach 


The  government  uses  a  decentralized  approach  to  information  technology.  This 
distributed  or  "trusted"  IT  environment,  allows  ministries  and  other 
organizations  to  join  the  GoA  computing  environment  quickly  and  share 
resources,  such  as  printing  and  email,  within  the  government.  However,  each 
entity  also  has  the  responsibility  to  manage  its  own  IT  policies,  practices  and 
infrastructure. 
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Decentralized 
approach  for 
programs  and 
services  poses  IT 
security  problems 


Confidential 
information  at  risk 
because  no  central 
policies 


Information  not 

secure 


A  decentralized  approach  may  work  well  for  program  delivery,  but  it  poses 
significant  challenges  for  security.  The  GoA's  existing  distributed  computing 
environment  creates  inherent  vulnerabilities  and  risks.  Information  security  is 
only  as  strong  as  the  weakest  link  -  if  one  part  of  the  organization  doesn't  have 
adequate  security  controls  in  place,  it  can  affect  other  parts  of  the  organization 
that  have  well-designed  security  controls. 

This  disparate  approach  to  security  controls  and  frameworks  creates  inherent 
weaknesses  within  the  GoA  domain  (see  section  5:  Glossary).  Instead  of  having 
one  set  of  policies,  standards  and  procedures  to  monitor  and  enforce,  the 
government  has  left  it  to  the  individual  entities  to  create  their  own  approach  to 
protect  information  assets.  The  result  is  that  the  quality  of  security  policies  and 
practices  across  the  GoA  varies  substantially — confidential  or  sensitive 
information  may  be  at  risk  of  compromise,  without  warning. 

Based  on  our  audit  work,  we  conclude  that  current  policies,  procedures, 
practices  and  control  systems  are  insufficient  to  reasonably  secure  information 
systems  and  data.  Because  of  these  inadequate  systems,  it  is  not  possible  to 
know  if  any  significant  system  breaches  have  occurred. 


Create  one 
authority  for  IT 
security 


Central  office  to 
develop,  monitor 
and  enforce  IT 
security 


Chief  Security 
Officer  must  have 


necessary 
authority 


Need  for  a  central  security  office 

A  more  efficient  and  effective  approach  involves  an  industry  best  practice  of 
creating  one  central  authority  responsible  for  the  development  and 
implementation  of  a  government-wide  strategy  of  asset  protection. 

A  central  security  office  for  the  Government  of  Alberta,  with  the  authority  and 
responsibility  to  develop,  monitor  and  enforce  asset  protection  programs  would 
ultimately  resolve  the  issues  presented  in  our  previous  and  current  audits, 
focusing  on  the  development  and  implementation  of  controls  affecting  the 
entire  government. 

The  central  security  office  and  its  management  team  (typically  led  by  a  Chief 
Security  Officer  or  CSO),  with  the  appropriate  mandate  from  Executive 
Council,  must  have  the  authority  and  responsibility  to  protect  the  information 
assets  of  the  government,  including  the  power  to  enforce  physical  and  logical  IT 
controls  (see  section  5:  Glossary). 

In  prior  reports,  we  have  recommended  the  GoA  adopt  an  IT  control 
framework,  develop  a  project  management  office,  create  a  standardized  systems 
development  lifecycle,  and  develop  a  security  awareness  program. 
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Service  Alberta 
has  worked  to 
improve  IT 
security 

But  lacks  authority 
to  enforce 
compliance 


The  Ministry  of  Service  Alberta  responded  to  these  recommendations,  and 
developed  and  distributed  policies,  standards,  and  procedures.  Their  response  to 
our  findings  shows  its  commitment  to  improve  GoA  information  security. 

That  these  standards  are  not  being  uniformly  followed  across  the  government, 
however,  highlights  the  fundamental  restriction  facing  Service  Alberta.  The 
Ministry  can  develop  policies  and  offer  guidance  to  other  ministries,  but  cannot 
enforce  requirements  on  those  departments,  agencies,  boards  and  commissions 
directly  attached  to  the  GoA  domain. 


Recommendations 
in  3  areas  to 
Service  Alberta 
but  main  problem 
remains 


Central  security 
office  needed  to 
improve 
government  IT 
security 


Organization  use 
multi-layer 
security  for 
protection 


Albertans  expect 
government  to 
protect 
information 


GoA  a  $38-billion 
organization 


In  this  report  we  make  new  recommendations  from  our  work  in  three  additional 
areas —  Web  application  and  network  security,  Wireless  access  point  security, 
and  Protection  of  data  facilities.  Again,  Service  Alberta  has  accepted  our 
recommendations,  and  will  be  developing  and  distributing  the  necessary 
policies,  standards  and  procedures.  The  issue  remains,  however,  that  this 
Ministry  does  not  have  the  authority  to  implement,  monitor  and  enforce  these 
initiatives  on  a  government-wide  basis. 

As  in  the  past,  the  recommendations  resulting  from  our  work  in  these  areas  are 
addressed  to  Service  Alberta  to  resolve,  by  working  in  collaboration  with  all 
ministries,  and  through  the  Chief  Information  Officer  (CIO)  Council. 
Eventually  we  expect  to  raise  such  findings  with  a  central  security  office  that 
has  the  mandate  to  effect  change  and  to  promptly  improve  the  security  profile 
of  the  government. 

We  discussed  our  three  audits  with  the  Office  of  the  Information  and  Privacy 
Commissioner,  as  they  have  potential  privacy  implications. 

Proactive  organizations  embrace  the  value  of  access  controls  and  defense-in- 
depth  strategies.  These  organizations  know  they  must  protect  their  information 
systems.  The  organizations  deploy  access  controls  and  multi-layer  security 
strategies  to  secure  their  information  assets. 

Albertans  expect  government  websites  to  be  secure  from  potential  attack.  They 
expect  that  adequate  physical  controls  will  be  in  place  to  protect  government 
information  systems  and  information,  and  that  newer  technologies,  like  wireless 
networks  are  properly  managed,  and  implemented  in  a  manner  that  adequately 
safeguards  confidential  information. 

The  challenges  posed  by  a  complex  $38  billion  organization  like  the  GoA 
demand  that  there  needs  to  be  a  central  body  responsible  for  ensuring  the 
overall  security  of  the  government.  Other  Canadian  provinces  have  central 
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security  offices,  with  suitable  mandates  and  the  authority  to  ensure  compliance. 
The  Government  of  Alberta  must  promptly  establish  control  over  information 
security. 


Use  of  web 
applications 
increasing  rapidly 


CoA  relies  on  web 
applications  to 
deliver  programs 
and  services 


Web  applications 
increase  security 
risks 


New  security 
vulnerabilities 
every  week 


Implications  and  risks  if  recommendation  not  implemented. 

All  information  assets  will  remain  exposed  to  unacceptable  risk. 

2.  Web  application  and  network  security 

2.1  Summary 

Banking  online,  booking  a  campsite,  renewing  library  books,  registering  for 
courses,  and  making  a  purchase  on  eBay  are  all  examples  of  how  people  use 
'web  applications'  in  their  daily  lives.  Web  applications  make  it  increasingly 
convenient  to  conduct  everyday  transactions,  and  the  number  of  transactions 
done  over  the  Internet  is  increasing  rapidly. 

The  Alberta  government  is  no  exception.  The  GoA  relies  on  web  applications  to 
deliver  programs  and  services  to  Albertans  and  to  process  financial  and 
personal  information.  This  technology  enables  the  GoA  to  increase  the 
efficiency  of  its  program  and  service  delivery.  For  example, 
www.eab.gov.ab.ca,  the  Environmental  Appeals  Board  website,  allows 
Albertans  to  file  online  appeals  of  environmental  judgments.  A  Health  and 
Wellness  website,  www.albertanetcare.ca,  hosts  a  province-wide  electronic 
health  record  (EHR)  that  is  accessible  by  health  care  practitioners. 

Web  applications,  by  their  very  purpose,  increase  risk  exposure  significantly. 
Web  applications  need  to  be  "visible"  on  the  Internet.  They  are  placed  on  the 
Internet  so  authorized  users  can  access  them  conveniently.  This  also  makes 
them  attractive  and  easy  targets  for  potential  hackers  to  exploit.  Security  must 
be  "designed-in"  from  the  beginning  for  web  applications  to  be  secure. 
Vulnerabilities  in  these  applications  can  be  exposed  and  exploited  to  gain 
unauthorized  access  to  sensitive  data  or  systems. 

Every  week  it  seems  there  are  new  vulnerabilities  identified  and  exploited  for 
all  types  of  web  applications.  Industry  experts  estimate  there  are  currently  more 
than  400  basic  web  application  security  vulnerabilities.  These  base 
vulnerabilities  often  spawn  mutated  versions  not  as  easy  to  identify  and  fix. 
This  creates  thousands  of  different  ways  to  break  through  the  security  of  web 
applications. 
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Shared  computing 
infrastructure 
administered  by 
Service  Alberta 


Service  Alberta  administers  the  GoA's  shared  computing  infrastructure.  This 
shared  network  consists  of  the  physical  network,  the  devices  that  support  it  like 
routers  and  switches,  and  the  software  that  controls  it. 


Network  security 
is  key 


Shared 
infrastructure 
relies  on  trusted 
links 


IT  control 
framework 
supports  web- 
application 
security 


Comprehensive 
approach  to 
security  needed 


Inadequate 
standards  for  web- 
application 
security 

Inadequate 
communication 
and  assistance  for 
web-application 
security 


Network  security  is  critically  important  to  adequately  protect  key  information. 
To  have  good  network  security,  organizations  must  have  appropriate  network 
policies,  procedures,  and  standards  which  they  implement  and  enforce. 

The  shared  infrastructure  relies  on  trusted  links  and  the  security  within  each 
ministry.  Service  Alberta — although  administrators  of  the  shared 
infrastructure — do  not  always  own  or  have  control  over  other  ministry  assets 
using  the  shared  infrastructure. 

An  IT  control  framework  with  defined  security  requirements  and  well-designed 
controls  is  the  foundation  of  a  well-controlled  and  -managed  organization.  In 
our  April  2008  report  to  government,  we  recommended  that  Service  Alberta,  in 
conjunction  with  all  ministries  and  through  CIO  Council,  develop  and  promote: 

•  a  comprehensive  IT  control  framework. 

•  guidance  to  implement  well-designed  and  cost-effective  IT  control 
processes  and  activities. 

Secure  and  well-managed  organizations  have  comprehensive  IT  control 
frameworks  that  have  properly  defined  and  consistently  followed  security 
policies  and  standards,  and  well-designed  and  effective  control  processes.  A 
comprehensive  approach  to  security  is  necessary  to  ensure  all  web  applications 
remain  secure.  Without  adequate  policies,  procedures,  and  control  processes, 
organizations  cannot  state  risks  are  effectively  mitigated,  nor  can  they 
effectively  mitigate  them. 

In  this  audit,  we  reviewed  existing  web  application  security  documentation.  We 
concluded  that  current  GoA  web  application  security  policies  and  standards  are 
inadequate. 

We  also  confirmed  that  there  is  no  government-wide  program  or  process  to: 

•  ensure  suitable  web  application  security  standards  are  developed, 
communicated,  and  promoted  throughout  all  government  organizations. 

•  provide  guidance  and  assistance  to  government  organizations  to  implement 
secure  web  applications. 
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Systemic  problems 
identified 


69  GoA  websites 
assessed 


Service  Alberta  co-operated  fully  with  us,  allowing  us  to  perform  our  scans 
unhindered.  The  objective  of  our  examination  was  not  to  evaluate  the  intrusion 
detection  systems  used  by  the  GoA,  but  rather  to  assess,  within  a  reasonable 
time-frame,  the  security  quality  of  pre-selected  GoA  websites. 

It  should  be  noted  that  while  these  findings  were  accurate  at  the  point  in  time 
that  the  examination  was  carried  out,  the  vulnerabilities  present,  prior  to,  or 
since  that  date,  may  differ.  Also,  because  of  the  automated  tools  used  to  assess 
the  websites,  there  is  a  possibility  that  some  of  the  vulnerabilities  discovered 
may  be  "false  positives".  Nonetheless,  we  believe  that  the  types  of 
vulnerabilities  present  are  represented  in  our  findings. 

Because  there's  a  lack  of  consistently  followed  policies,  procedures  and 
standards  in  the  GoA,  we  found  systemic  problems  and  vulnerabilities 
throughout  the  web  applications  we  tested.  Given  the  significant  numbers  of 
vulnerabilities  identified  through  our  testing,  we  immediately  discussed  and 
agreed  our  findings  with  Service  Alberta  management.  Upon  notification  of  the 
critical  issues  that  exist,  management  began  corrective  action  immediately. 

We  identified  more  than  400  websites  for  testing,  but  due  to  time  constraints 
were  able  to  assess  only  69  web  sites.  We  discovered  a  disappointingly  large 
number  of  vulnerabilities  in  these  sites.  When  we  classified  these 
vulnerabilities,  we  identified: 

•  4  %  were  critical 

•  3  %  were  high 

•  24  %  were  medium 

•  69%  were  low 

A  vulnerability  is  classified  as  critical,  high,  medium  or  low,  as  follows: 
Critical:    a  vulnerability  that  could  let  an  attacker  execute  commands  on  the 
server,  or  retrieve  and  modify  confidential  information, 
a  vulnerability  that  could  let  an  attacker  view  source  code,  system 
files,  and  sensitive  error  messages, 
other  errors  or  issues  that  could  be  sensitive, 
interesting  issues,  or  issues  that  could  evolve  into  a  more  severe 
vulnerability. 


High: 

Medium 
Low: 


Government 
responsible  to 
ensure  web 
applications 
securely  built 


Secure,  well-managed  organizations  understand  the  importance  of  web 
application  security,  and  use  this  knowledge  to  secure  their  organizations.  They 
recognize  the  extreme  importance  of  security  for  web  applications  to  ensure  that 
their  systems— and  the  information  they  host  and  process— are  secure  and 
available  when  needed. 
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recommendations 
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Albertans  expect  government  organizations  to  safeguard  the  confidentiality  and 
accuracy  of  their  personal  information,  to  provide  secure  programs  and  services 
as  and  when  needed,  and  to  ensure  that  public  assets  are  not  susceptible  to 
misuse  or  fraud. 

As  a  result  of  our  audit,  we  made  three  recommendations  to  management — that 
Service  Alberta,  in  conjunction  with  all  ministries  and  through  the  CIO 
Council: 

1.  develop  and  maintain  detailed  policies,  procedures,  and  standards  to  build 
and  operate  secure  web  applications. 

2.  ensure  that  all  Go  A  web  applications  consistently  meet  all  security 
standards  and  requirements. 

3.  review,  improve,  and  ensure  compliance  with  the  GoA's  shared  computing 
infrastructure's  security  policies,  procedures,  and  standards. 


Are  GoA  web 
applications  secure 


Are  control 
processes  effective 
and  well-designed 


2.2  Audit  objectives  and  scope 

Our  initial  audit  objectives  were  to  assess  if  the  GoA: 

•  develops,  maintains,  and  makes  available  to  government  organizations, 
adequate  policies,  procedures,  and  standards  necessary  to  build  and 
maintain  secure  web  applications. 

•  has  well-designed  and  effective  control  processes  to: 

•  review  the  security  of  all  government  organizations'  web  applications. 

•  ensure  government  organizations'  web  applications  consistently  meet 
all  security  standards  and  requirements. 


Does  shared 
infrastructure 
protect 
information 


Using  findings  from  the  initial  audit  we  expanded  our  work  to  examine  and 
report  on  whether  the  GoA's  shared  computing  infrastructure  is  adequate  to 
protect  government's  and  Albertans'  information. 


The  GoA's  shared  computing  infrastructure  is  used  by  most  ministries, 
agencies,  boards  and  commissions,  and  is  maintained  by  Service  Alberta.  This 
shared  network  consists  of  the  physical  network,  the  devices  that  support  it,  like 
routers  and  switches,  and  the  software  that  controls  it. 


Audit  scope:  all 

government 

entities 


The  scope  of  our  audit  included  all  web  applications  of,  or  associated  with,  any 
Government  of  Alberta  ministry,  agency,  board,  commission  or  post-secondary 
institution.  We  refer  to  these  throughout  the  report  as  organizations. 


We  also  included  the  Government  of  Alberta  shared  computing  infrastructure 
and  all  of  the  domains  it  owns,  or  administers. 
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3-phased  testing  of 

web-application 

security 


Worked  with 
Service  Alberta 


Audit  timeline 


Fine  line:  effective 
web  applications 
must  be  both 
accessible  and 
secure 


International 
standards  being 
developed 


We  tested  the  security  of  government  Web  applications  through  a  3-phased 
process: 


Phase  1 
Phase  2 
Phase  3 


Identify  GoA  web  sites 

Conduct  high-level  automated  scans  on  these  addresses 
Conduct  detailed  manual  tests  of  selected  web  sites  to  confirm  the 
vulnerabilities  found  in  the  automated  scans  could  be  exploited. 


We  worked  closely  with  Service  Alberta  to  conduct  the  audit,  and  Service 
Alberta  was  our  main  contact  and  the  central  point  of  communication  with  the 
government  community  for  Phases  1  and  2.  For  Phase  3— detailed  manual 
testing  of  web  applications— we  planned  to  communicate  directly  with  each 
organization  selected  for  detailed  testing. 

When  it  became  apparent  that  sensitive  government  information  was  exposed 
due  to  vulnerabilities  in  the  design  and  administration  of  government  websites 
and  the  shared  computing  infrastructure,  we  discussed  our  findings  with  Service 
Alberta.  They  agreed  to  immediately  proceed  with  remedial  action  to  address 
identified  vulnerabilities.  At  this  point,  we  stopped  Phase  3  testing. 

Our  audit  took  place  from  January  2008-May  10,  2008.  This  report  uses  the 
results  of  our  work  conducted  during  that  period. 

2.3  Background 

2.3.1  Web  applications 

Web  applications  must  tread  a  fine  line  between  accessibility  and  security. 
Albertans  benefit  from  these  web  applications  but  the  applications  must  protect 
against  malicious  use.  As  web  applications  become  more  prevalent  and 
accessible,  the  security  built  into  them  plays  an  even  greater  part  in  the  overall 
security  of  Albertans'  information. 

Web  applications  must  be  designed  and  built  to  ensure  they  can't  be  used  in 
unauthorized  or  malicious  ways.  An  international  non-profit  organization  called 
the  Open  Web  Application  Security  Project  (OWASP)  is  leading  the 
development  and  maintenance  of  web  application  security  standards.  These 
security  standards  define  how  to  build  and  maintain  secure  web  applications. 

OWASP  has  developed  a  list  of  common  errors  and  vulnerabilities,  and 
guidance  on  how  to  protect  web  applications  from  them.  The  Government  of 
Alberta  has  considered  web  application  security  through  its  web  Application 
Protocol  Standard  4068. 
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Best  practices 
available  for  free 


Government  must 
remain  vigilant: 
security  needs 
constantly 
changing 


OWASP  provides  best  practices  to  build  and  maintain  secure  web  applications 
free  of  charge.  They  also  provide  regular  reports  on  the  top  security 
vulnerabilities  and  exploits  against  web  applications,  and  guidance  on  how  best 
to  protect  against  them. 

The  Internet  is  constantly  changing.  What  was  secure  yesterday  may  not  be 
secure  today.  What  is  secure  today  will  probably  not  be  secure  tomorrow.  There 
is  a  cat-and-mouse  game  played  by  those  wanting  access  to  sensitive  systems 
or  data  for  illicit  reasons,  and  those  who  protect  the  security  of  our  information. 


Network  security 
needs  controls 
built  into  new 
systems 


Security  layered 
like  an  onion 


2.3.2  Network  security 

Network  security  is  important.  To  have  good  network  security,  an  organization 
must  have  the  appropriate  network  policies,  procedures,  and  standards,  and  the 
ability  to  implement  and  enforce  them.  Secure  organizations  ensure  well- 
designed  and  effective  security  controls  are  built  into  all  new  systems, 
applications  and  infrastructure  before  they  are  deployed  in  the  production 
environment.  Good  network  security  practices  and  controls  increase  the 
probability  programs  and  services  will  be  available  as  and  when  needed,  and 
that  the  data  they  host  will  remain  secure  and  confidential. 

When  designed  properly,  multi-layer  network  security  looks  like  an  onion.  You 
need  to  keep  peeling  layers  off  to  get  to  the  critical  core. 


One  layer  of  security  inside  another  protects  valuable 
assets.  If  security  systems  aren't  properly  designed,  you 
can  bypass  the  security  layers  and  cut  directly  to  the 
center. 

Figure  1:  onion  skin  approach 


Do  adequate  Web 
application 
security  standards 
exist 


Are  security 
standards 
consistently  met 


2.4  Criteria  and  conclusions 

We  started  this  audit  with  the  plan  to  examine  two  criteria: 

1.  Service  Alberta — on  behalf  of  the  government  and  in  conjunction  with  all 
ministries  through  the  CIO  council — should  develop,  maintain,  and  make 
available  to  all  government  organizations  detailed  policies,  procedures,  and 
standards  to  build  and  operate  secure  web  applications. 

2.  Service  Alberta — in  conjunction  with  all  ministries  and  through  the  CIO 
Council — should  develop  and  implement  well-designed  and  effective 
control  processes  to: 

•     review  the  security  of  every  government  organization's  web 
applications. 
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•     ensure  Web  applications  consistently  meet  all  security  standards  and 
requirements. 

By  evaluating  the  first  two  criteria,  we  found  that  if  a  vulnerable  web 
application  is  compromised,  other  government  services  or  areas  may  also 
be  at  risk.  Thus,  we  expanded  our  scope  to  include  the  following  third 
criteria. 


Does  government 
have  secure 
network  design 


Service  Alberta 

developing 

standards 


Service  Alberta  is 
working  to 
improve  security 


3.    Service  Alberta— as  the  administrator  of  the  government's  shared 

computing  environment— should  have  policies,  procedures,  standards,  and 
well-designed  control  activities  to  provide  adequate  security  ensuring  the 
confidentiality,  integrity,  and  availability  of  information  systems  and  data. 


Criteria 

Conclusion 

Met 

Partly 
Met 

Not  Met 

Related 
recommendation 

1 .  The  government  should  have 
adequate  policies, 
procedures,  and  standards  to 
build  and  operate  secure  web 
applications. 

Page  64 

2.  The  government  should 
ensure  that  web  applications 
consistently  meet  all  security 
standards  and  requirements 

Page  66 

3.  The  government's  network 
security  policies  and 
practices  should  adequately 
protect  government  and 
Albertans'  information. 

/ 

Page  68 

We  found  that  current  GoA  web  application  security  standards  are  inadequate. 
The  Ministry  of  Service  Alberta  has  recognized  this  and  is  leading  an  initiative, 
through  the  CIO  Council,  to  develop  an  IT  control  framework  including 
detailed  web  application  and  other  security  policies,  procedures,  and  standards. 

Service  Alberta  is  aware  of  the  seriousness  of  the  security  vulnerabilities  and 
has  indicated  that  it  is  working  to  ensure  that: 

•  comprehensive  web  application  policies  and  standards  are  defined  and 
implemented. 

•  all  government  organizations'  web  applications  are  scanned  and  that 
identified  security  vulnerabilities  are  remediated  immediately. 


Report  of  the  Auditor  General  of  Alberta— October  2008 


Cross-Ministry 


Protecting  information  assets 


•  web  application  security  policies,  standards,  and  the  web  applications 
themselves,  will  be  continually  monitored  and  any  issues  identified 
promptly  resolved. 

•  insecure  shared  computing  infrastructure  practices  are  identified  and 
remediated. 


We  support  Service  Alberta's  initiatives  in  assessing  the  security  of  web 
applications  to  promptly  solve  these  problems.  This  is  a  serious  vulnerability 
that  must  be  dealt  with  promptly  and  throughout  the  government  to  protect  the 
confidentiality  and  integrity  of  Albertans'  information  and  the  programs  and 
services  the  government  provides. 


2.5  Recommendations 

2.5.1   Develop  and  maintain  detailed  standards  and  policies  to  build  and 

operate  secure  web  applications 
Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta,  in  conjunction  with 
all  ministries  and  through  the  Chief  Information  Officer  (CIO)  Council, 
develop  and  maintain  detailed  policies,  procedures,  and  standards  to  build 
and  operate  secure  web  applications. 


Security  must 
remain  priority  for 
both  web 
applications  and 
network 


Background 

The  security  of  web  applications  is  only  a  starting  point.  Secure,  well-managed 
organizations  work  at  securing  their  entire  computing  infrastructure.  Hackers 
look  for  the  weakest  point  to  attack  and  gain  access.  If  a  Web  application  is 
secure,  they  look  for  weaknesses  in  the  operating  system  it  runs  on.  If  that's 
secure,  they  try  to  exploit  network  vulnerabilities.  If  the  network  is  secure,  they 
go  to  the  next  web  application  and  try  the  cycle  again. 


Policies, 
procedures,  and 
standards 
necessary  to  meet 
minimum  security 
requirements 


Policies,  procedures,  and  standards  are  necessary  to  ensure  that  all  government 
ministry  and  agency  web  applications  meet  minimum  security  requirements. 
The  government  has  previously  identified  the  need  for  standardized  policies  and 
procedures,  and  has — through  previous  iterations  of  Service  Alberta — 
developed  and  approved  web  application  standards  and  guidelines  for  securing 
web  applications. 


Criteria:  the  standards  we  used  for  our  audit 

The  Government  of  Alberta  should  develop,  maintain,  and  make  available  to 
government  organizations,  the  policies,  procedures,  and  standards  to  build  and 
operate  secure  web  applications. 
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Web-application 
security 

documentation  out 
of  date 

No  one  group 
responsible  for 
policies  or 
standards 

Documentation 
not  regularly 
reviewed 


Current  security 
standard  not  well 
known  or  followed 


No  centralized 
role  to  define, 
implement,  and 
ensure  web- 
application 
security 


GoA  systems  and 
information  at  risk 


There  is  lack  of 
policies,  standards, 
and  enforcement 


Our  audit  findings 

We  reviewed  web  application  security  policies,  procedures,  and  standards 
documentation  issued  by  Service  Alberta.  The  documentation  was  issued 
between  2002  and  2006,  and  has  not  been  updated  since. 

The  government  has  not  charged  a  single  group  or  committee  with  the 
responsibility  to  develop,  maintain,  and  implement  government-wide  web 
application  security  policies  or  standards. 

The  policies  and  standards  we  reviewed  were  developed  and  approved  by 
Alberta  Corporate  Services  Centre,  the  predecessor  to  Service  Alberta.  A 
process  does  not  exist  to  ensure  the  documentation: 

•  is  regularly  reviewed  and  remains  up  to  date  and  relevant. 

•  is  promoted  to  all  ministries  and  agencies. 

•  includes  the  appropriate  guidance  to  implement  the  policies  and  standards. 

In  2003,  Service  Alberta  developed  and  promoted  a  web  application  security 
standard— Web  Application  Protocol  Standard  4068.  However,  the  document 
isn't  well  known,  or  consistently  followed  by  government  organizations.  The 
security  requirements  in  this  document  refer  to  the  overall  Government  of 
Alberta  IT  Baseline  Security  Policy.  The  overall  GoA  IT  security  policy  does 
not  identify  specific  web  application  security  standards  or  requirements. 

Service  Alberta  is  responsible  to  develop,  maintain  and  make  available  the 
policies,  procedures,  and  standards  to  build  secure  web  applications.  But  no  one 
is  responsible  to  ensure  web  applications  are  built  and  operated  to  these  secure 
standards.  A  central  security  office  can  play  a  key  role  in  improving  the  GoA's 
overall  security  environment  by  having  the  responsibility  to  ensure  these 
policies  and  standards  are  consistently  met. 

Implications  and  risks  if  recommendation  not  implemented 

Without  adequate  and  consistently  met  policies,  procedures,  and  standards  to 
build  and  maintain  web  applications,  the  entire  GoA's  shared  computing 
infrastructure— and  all  the  data  and  information  in  it— is  at  risk. 

A  lack  of  secure  web-application  policies,  procedures,  and  standards  leads  to: 

•  government  organizations  not  knowing  what  is  required  or  needed  to  build 
and  maintain  secure  web  applications. 

•  government  organizations  building  and  implementing  insecure  web 
applications. 

•  web  applications  that  were  once  secure  becoming  insecure  and  vulnerable 
over  time. 


Report  of  the  Auditor  General  of  Alberta— October  2008 


65 


Cross-Ministry 


Protecting  information  assets 


2.5.2  Develop  standards  and  policies  to  ensure  web  applications  are 

built  to  required  standards 
Recommendation  No.  5 

We  recommend  that  the  Ministry  of  Service  Alberta,  in  conjunction  with 
all  ministries  and  through  the  Chief  Information  Officer  (CIO)  Council, 
develop  and  implement  well-designed  and  effective  controls  to  ensure  all 
Government  of  Alberta  web  applications  consistently  meet  all  security 
standards  and  requirements. 


Effective  controls 
required 


Background 

To  ensure  all  information  assets — systems,  applications,  and  the  data  they 
hold — are  secure,  organizations  must  regularly  and  consistently  monitor  and 
review  web  applications  to  ensure  they  are  built  and  remain  secure.  Secure 
organizations  have  well-designed  and  effective  control  processes  to  ensure  that 
web  applications  are  built  to  secure  standards  before  they  are  allowed  in  the 
production  environment  or  exposed  to  the  Internet. 


Proactive  controls 
most  effective 


Proactive  controls  that  ensure  web  applications  are  tested  before  they  are 
deployed,  and  regularly  tested  afterwards  for  new  vulnerabilities,  are  the  best 
form  of  prevention.  It's  much  easier  to  prevent  a  security  breach  in  the  first 
place  than  to  secure  all  systems  and  data  after  a  breach. 


Criteria:  the  standards  we  used  for  our  audit 

Service  Alberta,  in  conjunction  with  all  ministries  and  through  the  CIO  Council, 
should  have  well-designed  and  effective  control  processes  to: 

•  review  the  security  of  all  web  applications  on  the  government's  shared 
computing  infrastructure. 

•  ensure  web  applications  consistently  meet  all  security  standards  and 
requirements. 


Guidance  lacking 
on  meeting 
security  standards 


Our  audit  findings 

We  reviewed  documentation  available  in  the  GoA's  shared  repository  of 
policies,  procedures,  standards,  and  other  documentation  and  confirmed  a  lack 
of  guidance.  Service  Alberta  and  other  government  organizations  don't  have 
well-designed  controls  to  ensure  web  applications  using  the  shared 
infrastructure  are  built  to,  and  continue  to  meet,  government  security  standards. 


OWASP  security 
standards  adopted 
but  no  compliance 
mechanism 


The  government  has  previously  identified  the  OWASP  secure  configuration 
standards  as  a  best  practice  to  build  secure  web  applications  in  the  GoA 
guidelines  for  building  secure  web  applications  (GOA  ID  #  4698  and  OWASP 
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No  ability  to 
properly  assess 
organization's 
security 


Knowledge  and 

consistency 

limited 


OWASP 
vulnerabilities 
present  in 
government 
websites 


All  government 
organizations  need 
security  standards 


Web  server  security  GOA  ID  #  4072).  However,  there  is  no  well-designed  and 
effective  control  process  to  ensure  compliance  with  these  standards. 

The  GoA,  through  Service  Alberta  or  any  other  group,  doesn't  have: 

•  adequate  policies  and  procedures  to  ensure  that  web  applications  using  the 
government's  shared  computing  infrastructure  are  built  and  maintained  to  a 
secure  standard. 

•  well-designed  and  effective  control  processes  to  ensure  that  web 
application  security  standards  are  consistently  followed. 

We  also  found,  throughout  the  GoA,  there  is  limited  knowledge  and  consistency 
in  the: 

•  way  each  organization  builds  and  implements  web  applications. 

•  understanding  among  organizations  as  to  what  constitutes  a  secure  web 
application,  or  how  best  to  build  and  maintain  secure  web  applications. 

OWASP  has  identified  a  list  of  the  top  10  most  common  web  application 
security  vulnerabilities.  Using  OWASP  security  standards  to  build  and  maintain 
web  applications  should  limit  or  eliminate  the  presence  of  common  and  easily 
protected-against  web  application  vulnerabilities. 

We  examined  8  of  the  Top- 10  OWASP  identified  vulnerabilities  and  all  of 
these  were  present  in  the  government  websites  reviewed. 

These  conditions  are  easily  preventable  by  following  standards  for  secure 
coding,  building,  and  maintaining  web  applications  and  the  systems  they  run 
on. 

This  finding  is  of  particular  concern  given  the  inter-dependencies  in  the  current 
government  shared  computing  environment  design.  The  entire  government 
relies  on  individual  organizations  to  ensure  they  have  designed  and 
implemented  secure  web  applications. 

We  also  identified  other  vulnerable  web  applications— belonging  to  other 
government  organizations— but  not  using  the  shared  infrastructure  with  similar 
critical  security  vulnerabilities.  Although  these  vulnerable  web  applications 
may  not  directly  threaten  security  of  the  government's  network  as  they  are  not 
part  of  the  shared  infrastructure,  they  threaten  confidentiality  and  security  of 
government  and  Albertans'  information  used  by  these  applications. 
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Inadequate 
controls  lead  to 
unauthorized 
access  to  key  data 
and  systems 


Implications  and  risks  if  recommendation  not  implemented 

Without  well-designed  and  effective  control  processes  to  ensure  that  all 
ministry  and  agency  web  applications  are  built  and  maintained  to  strict  security 
standards,  this  could  result  in  unauthorized  access  to,  and  abuse  of,  critical, 
sensitive  or  confidential  data  and  systems. 


2.5.3  Review  and  improve  the  GoA's  shared  computing  infrastructure 

policies,  procedures,  and  standards. 
Recommendation  No.  6 

We  recommend  that  the  Ministry  of  Service  Alberta  work  with  all 
ministries  and  through  the  Chief  Information  Officer  (CIO)  Council,  to 
develop  and  implement  policies,  procedures,  standards,  and  well-designed 
control  activities  for  the  Government  of  Alberta's  shared  computing 
network. 


Good  network 
security  practices 
increase 
probability  that 
services  will  be 
available  and 
information  secure 


Background 

Network  security  is  important.  Good  network  security  requires  an  organization 
to  have  the  appropriate  policies,  procedures,  and  standards  to  take  security  into 
account  throughout  its  lifecycle.  Secure  organizations  ensure  well-designed  and 
effective  security  controls  are  built  into  all  new  systems  and  applications — 
including  Web  applications — and  infrastructure  before  they  are  deployed  in  the 
production  environment.  Good  network  security  practices  and  controls  increase 
the  probability  that  programs  and  services  will  be  available  when  needed,  and 
that  the  data  they  host  stays  secure  and  confidential. 


Shared  network 
consists  of 
physical  network, 
devices,  and 
software 


Service  Alberta  administers  the  Government  of  Alberta's  shared  network 
computing  infrastructure.  This  shared  network  consists  of  the  physical  network, 
the  devices  that  support  it  (like  routers  and  switches) ,  and  the  software  that 
controls  it  (like  Active  Directory).  Active  Directory  is  a  technology  that  gives 
network  administrators  tools  so  that  users  and  devices  on  the  network  can  talk 
to  each  other  efficiently.  Active  Directory  stores  information  and  settings  in  a 
central  database  and  allows  administrators  to  assign  access  to  resources,  deploy 
software,  and  apply  critical  updates  and  security  patches  throughout  the 
network. 


Service  Alberta 
administers  shared 
network  but  does 
not  control  it 


The  government's  shared  infrastructure  relies  on  trusted  links  and  the  security 
within  each  ministry.  Service  Alberta — although  the  administrator  of  the  shared 
infrastructure — does  not  always  own  or  control  other  ministry  assets  using  the 
shared  infrastructure. 
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Did  government 
build  with  security 
in  mind 


Security  often  an 
afterthought, 
second  to 
functionality 


Service  Alberta 
needs  to  ensure 
safe  network 


The  Government  of  Alberta's  shared  computing  infrastructure  has  evolved  over 
many  years,  constantly  accommodating  new  and  modified  departments, 
ministries  and  entities  along  the  way,  and  changing  corporate  priorities. 
Because  of  the  speed  with  which  such  changes  have  to  be  made,  security  may 
not  have  always  been  adequately  considered.  Although  threat  and  risk 
assessments  are  conducted  on  organizations  moving  into  the  shared 
infrastructure,  there  is  no  formal  risk  acceptance  framework  or  accountability 
practice  to  deny  entry  to  the  shared  infrastructure  or  to  accept  risks  insecure 
organizations  may  bring  with  them. 

Security  requirements  are  often  considered  "non-functional"  or  an 
inconvenience  when  systems  are  designed.  Security  is  not  usually  needed  for  an 
application,  system,  or  network  device  to  meet  its  functional  goals.  Thus, 
security  is  often  implemented  as  an  after-thought.  However,  well-designed  and 
effective  security  is  essential  if  government  plans  to  rely  on  its  systems  to 
produce  complete,  accurate,  and  valid  information,  available  when  needed. 

Criteria:  the  standards  we  used  for  our  audit 

Service  Alberta— as  the  administrator  of  the  government's  shared  computing 
infrastructure— should  have  policies,  procedures,  standards,  and  well-designed 
control  activities  to  provide  adequate  security  to  ensure  the  confidentiality, 
integrity,  and  availability  of  information  systems  and  data. 


Inadequate 
procedures, 
standards, 
processes  for 
shared  network 


Our  audit  findings 

Service  Alberta  does  not  have  adequate  procedures,  standards,  and  well- 
designed  control  processes  for  the  GoA's  shared  computing  infrastructure  to 
ensure  the  confidentiality,  integrity,  and  availability  of  information  systems  and 
data. 


"Trusted"  security 
model  inadequate 


Programs  and 
services  not 
adequately 
protected 

Government's  and 
Albertans' 
information  at  risk 


The  GoA  uses  a  "federated"  or  "trusted"  model  for  security.  Although  this 
allows  government  organizations  to  quickly  and  easily  share  resources  and 
infrastructure,  it  also  increases  the  risk  to  other  more  secure  organizations. 

Implications  and  risks  if  recommendation  not  implemented 

Without  adequate  and  government-wide  IT  security  policies,  procedures,  and 
standards,  the  government  cannot  adequately  protect  all  programs  and  services 
it  offers  to  Albertans. 

Further,  until  the  government  establishes  a  central  authority  to  ensure  that 
policies,  procedures,  and  standards  are  well-designed  and  promoted,  and 
followed,  the  government's  data  and  Albertans'  personal  information  will 
remain  at  risk  of  unauthorized  access. 
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Speed  and 
completeness  of 
solution  is 
essential 


Wireless  networks 
becoming  more 
popular 


Wireless  networks 
offer  easy  access 
to  criminals 


If  Service  Alberta  does  not  review  and  solve  the  network  security  problems 
promptly  and  properly,  throughout  the  entire  computing  environment,  existing 
vulnerabilities  will  be  more  easily  and  quickly  exploited — even  by  less- 
knowledgeable  attackers.  Network  infrastructure  that  provides  programs  and 
services  to  Albertans,  and  processes  government  and  Albertans'  financial  and 
personal  information  will  not  be  secure  or  reliable. 

3.  Wireless-access-point  security 

3.1  Summary 

Wireless  networks  are  becoming  popular  and  more  widely  available.  How  many 
of  us  have  gone  to  our  local  coffee  shop  and  seen  a  customer  enjoying  a  warm, 
frothy  beverage,  typing  on  their  laptop  and  surfing  the  Internet? 

The  widespread  use  of  wireless  access  points  (WAPs)  allows  us,  virtually  from 
anywhere,  to  catch  up  on  our  emails,  pay  a  bill  online  or  finish  the  last  page  of  a 
report. 

This  ease  of  use,  though,  comes  at  a  price  -  unless  it's  well  secured,  wireless 
technology  can  unintentionally  expose  confidential  data  and  systems. 

In  recent  years,  WAPs  have  offered  cyber  criminals  easy  access  to  corporate 
records.  One  of  the  largest  information  security  breaches  in  the  past  decade 
involved  criminals  exploiting  an  insecure  WAP  in  a  company's  network,  and 
stealing  more  than  47  million  customer  records  and  affecting  consumers  across 
North  America.1 


Organizations 
need  to  balance 
benefits  and  risks 


Organizations  looking  to  install  wireless  networks  need  to  understand  not  only 
their  benefits  but  also  their  risks.  They  must  determine  if  the  business  needs 
outweigh  the  potential  risks. 


Service  Alberta 
policy  on  wireless 
access 


Wireless  networks  are  like  a  typical  wired  computer  network.  Except,  if  you 
don't  secure  it  properly,  it's  just  like  sitting  in  that  coffee  shop...  everyone  can 
use  your  network. 

Service  Alberta  created  a  policy  on  the  use  of  wireless  technology  throughout 
the  GoA.  The  policy  outlines  a  series  of  industry  best  practices  to  reduce 
potential  risks  created  by  wireless  access  points. 


1  www.consumeraffairs.com/news04/2007/05/tjx_wireless.html. 
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We  assessed  if 
ministries  comply 

Policy  in  place 


The  policy  states  (in  part) : 

Wireless  access  should  be  configured  as  any  unsecured  external  network,  such 
as  the  Internet.  Connecting  wireless  access  points  directly  inside  an  internal 
network  without  security  measures  is  not  acceptable. 

The  policy  goes  on  to  state: 

Wireless  access  to  an  internal  network  should  be  limited  to  specific 
authenticated  devices  only.  No  access  is  to  be  granted  to  unknown  devices.  In 
practice,  this  means  limiting  which  devices  have  access  to  a  wireless  access 
point  using  a  combination  of  user  logons/passwords,  firewall  rules,  and  the 
addresses  of  the  specific  devices. 

Encryption  keys  should  be  regularly  changed.  Be  advised  that  many  wireless 
encryption  methods  are  vulnerable  to  attack  and  that  tools  to  break  some  of 
these  encryption  methods  already  exist. 

Using  Service  Alberta's  guidelines,  our  security  audit  focused  on  how  well 
ministries  with  wireless  networks  implemented  these  recommendations. 

We  found  the  policy  document  created  by  Service  Alberta  is  in  place,  but  out  of 
date  and  doesn't  provide  guidance  on  the  type  of  security  or  surveillance 
required  for  wireless  networking.  The  policy  document  was  last  updated  in 
2003. 


No  surveillance 


The  government  does  not  have  one  central  location  providing  ongoing  network 
surveillance.  There  are  no  controls  in  place  to  detect  or  prevent  an  employee  (or 
any  other  party)  from  plugging  in  a  WAP  and  then  it  being  used  to  gain 
unauthorized  access  to  the  GoA  domain. 


Guidance  not 
provided 


Service  Alberta  has  created  the  Wireless  LAN  Security  Policy  but  has  not 
offered  any  formal  guidance  to  ministries  wanting  to  develop  their  own  policy. 
There  are  no  consistent  standards  relating  to  wireless  networking— some 
ministries  explicitly  follow  Service  Alberta,  some  create  their  own  policies. 


Does  Service 
Alberta: 

•  provide 
guidance 

•  ensure 
protection 


3.2  Audit  objectives  and  scope 

Our  primary  audit  objective  focused  on  the  policies  and  controls  in  place  at  the 
selected  ministries,  as  well  as  any  direction  offered  by  Service  Alberta: 

•  Does  Service  Alberta  provide  guidance  to  ministries  on  developing  proper 
wireless  security  policies? 

•  Does  Service  Alberta  have  the  authority  to  ensure  all  ministries  have  the 
right  protection  in  place  to  guard  against  wireless  security  threats? 
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Do  ministries: 

•  have  and 
enforce  policies 

•  control  risks 


Do  ministries  have  their  own  wireless  security  policies  in  place  and  are 
they  enforced? 

Do  ministries  have  proper  controls  in  place  to  identify  and  guard  against 
risks  posed  by  wireless  networking? 


The  scope  of  our  audit  was  to  determine: 

if  the  policies,  procedures  and  standards  that  Service  Alberta  provides  are 
adequate  and  give  ministries  direction  on  implementing  proper  wireless 
security  policies. 

the  GoA's  ability  and  authority — through  Service  Alberta — to  monitor  and 
enforce  adequate  wireless  security  policies,  standards  and  procedures, 
if  Service  Alberta  has,  or  should  have,  the  authority  to  ensure  all  ministries 
have  proper  controls  in  place  to  protect  government  systems  from  wireless 
network  threats. 

if  ministries  had  adequate  security-awareness  programs  to  educate  staff  on 
the  safe  use  of  wireless  networks. 

if  ministries  received  any  guidance  from  Service  Alberta  on  creating 
policies,  standards  and  procedures  for  wireless  networks, 
if  ministries  are  actively  monitoring  for  and  protecting  against 
unauthorized  wireless  access  points. 


Six  ministries 
audited 


Two  phases  of 
audit  work 


Diverse  networks, 
high  data  volume, 
sensitive 
information 


For  this  examination,  we  selected  the  following  six  ministries  in  the  Capital 
region: 

Advanced  Education  and  Technology 
Children's  Services 
Finance  and  Enterprise 
Health  and  Wellness 
Justice  and  Attorney  General 
Sustainable  Resource  Development 


We  completed  the  audit  in  two  phases.  The  first  phase  was  a  Proof  of  Concept 
(PoC)  using  one  ministry  as  a  pilot.  The  PoC  proved  our  audit  process  was 
sound  and  led  to  Phase  II — a  larger  audit  involving  an  additional  five  ministries 
spread  out  amongst  ten  buildings  in  the  Capital  region. 

The  six  ministries  have  diverse  computer  networks,  large  volumes  of  data,  and 
sensitive  information  regarding  Albertans.  Each  ministry  was  aware  of  the  audit 
and  co-operated  fully  with  my  Office,  granting  supervised  access  to  their 
buildings  and  networks.  The  audit  took  place  in  April  and  May  of  2008. 
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One  other  ministry  conducted  a  similar  review  of  its  wireless  security  in 
January  2008.  Their  audit  used  a  similar  approach  and  produced  similar  results. 
These  results  are  not  included  in  the  overall  wireless  security  audit. 


Wireless  networks 
are  faster  and 
cheaper  to  install 


Secure  wireless 
networks  take 
more  time  and 
effort 


Series  of 

safeguards  needed 
to  defend  network 


No  guarding 

against 

unauthorized 


access 


3.3  Wireless  networking 

Wireless  access  points  (WAPs)  are  an  inexpensive  and  quick  way  to  create  a 
network  for  an  organization.  WAPs  provide  connections  into  computer 
networks  without  incurring  the  cost  of  running  wires  in  walls  and  baseboards. 

WAPs  use  radio  frequencies  to  broadcast  network  traffic  to  and  from  computers 
equipped  with  wireless  network  cards.  Most  laptop  computers  come  equipped 
with  wireless  access  cards,  giving  mobile  users  the  ability  to  connect  to  wireless 
networks  at  home,  at  work  and  on  the  road. 

Cafes,  hotel  lobbies  and  airport  terminals  offer  wireless  networks  to  their 
patrons.  These  networks  are  good  examples  of  how  easy  wireless  networking 
has  become.  You  can  turn  on  your  laptop  and  access  a  wireless  network  almost 
everywhere. 

Setting  up  a  secure  wireless  network,  though,  takes  more  time  and  effort 
because  the  organization  must  understand  the  threats  and  vulnerabilities 
inherent  in  wireless  technology.  The  organization  must  put  into  place  a  series  of 
safeguards  to  defend  its  network  from  hijacked  sessions  (an  attacker  "steals"  or 
"hijacks"  a  legitimate  session  by  eavesdropping  on  the  traffic  and  taking  over 
the  real  user's  network  session),  unauthorized  access  (gaining  entry  into  the 
system  without  approval)  or  rogue  access  devices  (devices  installed  on  the 
organization's  network  without  its  knowledge  or  approval). 

3.4  Criteria  and  conclusions 

Our  wireless  access  point  audit  determined,  in  the  six  ministries  that  we 
audited,  that  there  was  no  network  surveillance  in  place  to  guard  against 
unauthorized  devices,  nor  was  there  any  formal  guidance  on  the  creation  and 
deployment  of  wireless  policies  and  standards  from  Service  Alberta. 

Service  Alberta  has  created  a  Wireless  LAN  Access  Security  Policy  document, 
along  with  a  checklist  outlining  industry  best  practices  and  resources  for 
wireless  networks.  Both  documents  are  available  to  all  ministries. 
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Conclusion 

Related 

Criteria 

Met 

Partly 
Met 

Not 
Met 

Recommendations 

The  government  should  have 

adequate  policies  and  procedures 

✓ 

rage  75 

*         i  111 

in  place  to  securely  deploy 

wireless  networks. 

The  government  should  have  one 

Page  77 

central  authority  in  place  to 

monitor  networks,  including 

wireless  access  points. 

The  government  should  have 

safeguards  in  place  to  guard 

Page  76  and  77 

against  threats  posed  by  new 

technology,  including  wireless 

networks. 

Policy  in  place, 
but  out  of  date 


Documents 
lacking  in  several 
areas 


No  surveillance  in 
place 


Service  Alberta  has  the  Wireless  LAN  Access  Security  Policy  in  place,  but  it  is 
out  of  date  and  lacks  guidance  on  what  is  required  for  wireless  networking  for 
surveillance  and  monitoring. 

Service  Alberta  created  a  checklist  of  industry  best  practices,  which  list 
resources  where  ministries  can  get  more  information.  The  documentation 
doesn't  list  definitive  requirements  for  deploying  wireless  networks.  The 
documents  also  don't  stress  the  importance  of  conducting  threat  and  risk 
assessments  before  deploying  wireless  networks.  Nowhere  in  the  policy  or 
checklist  does  Service  Alberta  state  what  type  of  traffic  should  be  monitored. 

The  government  does  not  have  one  central  location  providing  ongoing  network 
surveillance.  There  are  no  controls  in  place  to  detect  or  prevent  an  employee  (or 
any  other  party)  from  plugging  in  a  wireless  network  device  and  gaining 
unauthorized  access  to  the  GoA  domain. 


Trusted  security 
model  increases 
risk 


No  guidance  to 
ministries  on 
developing 
wireless  networks 


The  Government  of  Alberta  uses  a  "federated"  or  "trusted"  model  for  security. 
This  allows  government  organizations  to  quickly  and  easily  share  resources  and 
infrastructure,  but  it  also  increases  risk  to  other  more  secure  organizations. 

Service  Alberta  has  created  a  Wireless  LAN  Access  Security  Policy  but  has  not 
offered  any  formal  guidance  to  ministries  wanting  to  develop  their  own  policy. 
There  are  no  consistent  standards  on  wireless  networking —  some  ministries 
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followed  Service  Alberta  guidance,  while  others  created  their  own  policies  and 
standards. 


Policies  define 
how  to  secure 
computer  systems 


3.5  Recommendations 

3.5.1  Wireless  policies  and  standards 
Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta,  in  conjunction  with 
all  ministries  and  through  the  Chief  Information  Officer  (CIO)  Council, 
update  its  existing  Wireless  LAN  Access  Security  Policy  to  provide  clearer 
guidance  to  Ministries  in  deploying  and  securing  wireless-network-access 
points. 

Background 

Security  policies  define  what  an  organization  must  do  to  adequately  secure  their 
computer  systems.  Policies  provide  guidance  on  how  an  organization  ensures 
the  confidentiality,  integrity  and  availability  of  its  data. 

Wireless  access  security  policies  are  important  to  any  organization  using 
wireless  access  points  (WAPs)  to  allow  entry  to  their  computer  network.  These 
policies  should  define  what  type  of  access  is  allowed,  how  an  organization 
identifies  a  valid  user  from  an  unauthorized  user,  and  how  the  organization  will 
defend  against  unauthorized  access  points  on  its  network. 


Policies  need  to  be 
specific 


Criteria:  the  standards  we  used  for  our  audit 

Service  Alberta  should  have  policy  documents  that: 

•  outline  specific  security  requirements  and  address  possible  security  threats 
posed  by  wireless  technology. 

•  offer  guidance  to  ministries  looking  at  deploying  wireless  networks  within 
their  infrastructures. 


Our  audit  findings 

The  two  GoA  documents  (Wireless  LAN  Access  Security  Policy  and  Wireless 
Security  Checklist)  we  reviewed  didn't  provide  details  on  the  selection,  testing 
and  deployment  of  wireless  technology  within  the  GoA.  The  documents  didn't 
identify  how  to  deploy  a  wireless  network  securely  within  the  GoA.  Nor  did 
they  require  a  threat  and  risk  assessment  before  any  wireless  deployments. 

Two  ministries  use        Two  ministries'  policies  (Advanced  Education  and  Technology,  Finance  and 
GoA  policy  Enterprise)  specifically  state  the  GoA  policy  applies  to  them.  They  rely  on  the 

information  from  Service  Alberta  and  use  the  Service  Alberta  policy  document 
(Wireless  LAN  Access  Security  Policy,  Final  4.1  dated  July  11,  2003)  as  their 
overarching  security  policy  on  wireless  networks. 


GoA  documents 
lack  detail  and  key 
parts 
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Only  one  ministry 
has  its  own  policy 


Three  ministries 
rely  on  Service 
Alberta 


Only  one  ministry  (Justice  and  Attorney  General)  created  its  own  policy 
document,  stating  all  wireless  network  deployments  must  comply  with  the 
ministry's  security  policies.  Justice  and  Attorney  General  haven't  approved  any 
wireless  networks  and  we  didn't  discover  any  unauthorized  WAPs. 

The  remaining  three  ministries  relied  on  Service  Alberta  policy  documents. 
They  did  not  have  their  own  policies  or  procedures  in  place. 


Too  much  latitude 
to  choose 
technology 


Implications  and  risks  if  recommendation  not  implemented 

Vague  security  policies  allow  departments  too  much  latitude  in  selecting  and 
deploying  technology.  Without  stringent  policy  requirements,  departments 
could  set  up  wireless  networks  insecurely  and  place  the  GoA  at  risk  of 
unauthorized  access  by  external  parties. 


3.5.2  Device  configurations 
Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta,  in  conjunction  with 
all  ministries  and  through  the  Chief  Information  Officer  (CIO)  Council, 
review  the  configuration  of  laptops,  and  approve  policies  to  prevent  laptops 
from  inadvertently  exposing  the  government  environment. 


Laptop  computers 
used  extensively 
in  government 


Background 

Laptop  computers  are  commonplace  in  government.  Users  are  mobile,  able  to 
work  on  assignments  in  their  office,  or  on  the  road.  Computer  makers  provide 
wireless  networking  capabilities  in  all  newer  laptops,  giving  users  the  same 
experience  on  their  laptop — anywhere  a  wireless  network  is  available  as  if  they 
were  in  their  office. 


Criteria:  the  standards  we  used  for  our  audit 

Service  Alberta  should  develop,  promote,  and  ensure  government  organizations 
comply  with  standardized  and  secure  laptop  configurations. 


Ministries  aware 
of  laptop  risk  for 
system  access  but 
have  not  mitigated 
it 


Our  audit  findings 

Two  ministries  (Finance  and  Enterprise,  Advanced  Education  and  Technology) 
have  changed  their  laptop  security  configurations  to  secure  their  laptops  against 
the  risk  of  being  used  as  unauthorized  wireless  entry  points  to  the  GoA  domain. 
The  remaining  ministries  are  aware  of  the  potential  problem  but  have  not 
changed  the  default  base  security  configuration  and  as  a  result  are  still  exposed 
to  this  security  vulnerability. 
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The  Ministry  of  Service  Alberta  doesn't  have  the  authority  to  compel  ministries 
to  buy  only  one  type  of  laptop.  Nor  does  it  have  the  authority  to  enforce  a 
standard  secure  laptop  configuration  in  government.  Service  Alberta  could 
work  with  all  ministries  and  government  organizations,  through  the  GoA 
procurement  process,  to  ensure  future  laptop  purchases  meet  a  standardized  and 
secure  configuration. 


I  Implications  and  risks  if  recommendation  not  implemented 

9  Poorly  configured  and  insecure  laptops  could  be  used  as  unauthorized  WAPs  to 

H  gain  access. 

3.5.3  Ongoing  monitoring  and  surveillance 

*  Recommendation  No.  7 

•  We  recommend  the  Ministry  of  Service  Alberta,  in  conjunction  with  all 
B  ministries  and  through  the  Chief  Information  Officer  (CIO)  Council, 

P  update  network  surveillance  methods  to  detect  and  investigate  the  presence 

of  unauthorized  wireless  access  points  within  the  Government  of  Alberta. 

™  Background 

B  Surveillance  and  Deploying  new  technology  requires  planning  and  diligence.  Organizations 

monitoring  offer  cannot  simply  implement  new  technologies  without  first  understanding  the  risks 
defense-in-depth  r  J 

m  and  providing  for  some  type  of  surveillance  and  detection. 


Criteria:  the  standards  we  used  for  our  audit 

The  Ministry  of  Service  Alberta  should  have  the  ability  to  monitor  and  protect 
the  GoA  domain  against  unauthorized  wireless  access  points,  including: 

•  scanning  techniques  like  'war  walking'  (see  section  5:  Glossary). 

•  regional  scanners  to  search  for  wireless  access  points. 

•  user  education  sessions  on  wireless  networking. 

Our  audit  findings 

Of  all  the  ministries  we  examined,  only  one  ministry  (Health  and  Wellness) 
conducted  any  type  of  scanning  for  unauthorized  wireless  networks.  These 
scans  were  reactive  and  conducted  on  an  ad  hoc  basis. 

Over  half  of  the  ministries  surveyed  relied  on  guidance  from  Service  Alberta 
for  wireless  network  and  device  security  standards.  Service  Alberta  has 
provided  some  information  on  wireless  security  requirements  and  deployment 
strategies.  But  it  does  not  have  a  method  to  survey  networks  across  the 
government  or  to  detect  rogue  or  unauthorized  wireless  access  points. 


Service  Alberta 
can't  control 
laptop  standards 


Only  one  ministry 

conducted 

scanning 


Ministries  rely  on 
Service  Alberta 
for  standards,  but 
it  offers  no 
guidance  on 
surveillance 
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Government  data 
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unauthorized 
wireless  access 


Implications  and  risks  if  recommendation  not  implemented 

Without  an  overall  network  surveillance  platform  in  place,  the  Go  A  remains 
vulnerable  to  threats.  Unauthorized  wireless  access  points,  if  undetected, 
potentially  could  allow  access  to  the  GoA  from  external  parties.  The  external 
parties  could  access,  alter  or  delete  confidential  government  data  and  go  about 
these  activities  undetected. 


Physical  and 
environmental 
security  controls 
inspected  at  77 
data  facilities 


4.  Physical  and  environmental  protection  of  data 
facilities 

4.1  Summary 

Data  facilities  hold  important  government  information  that  must  be  adequately 
protected.  We  inspected  physical  and  environment  security  controls  at  77  data 
facilities.  We  included  data  facilities  shared  by  multiple  ministries,  and  those 
that  were  the  responsibility  of  a  single  ministry,  board,  commission  or  post 
secondary  institute  (PSI). 


Do  security 
standards  for 
facilities  exist 

Are  they  followed 


The  objective  of  our  audit  was  to  determine  if  appropriate  standards  existed  to 
guide  the  secure  management  of  these  facilities  and  whether  they  were  being 
followed.  We  also  assessed  if  adequate  controls  were  implemented  based  on 
government  standards,  or  where  standards  did  not  exist,  if  the  controls 
implemented  met  industry  best  practices. 


Improvements 
needed 


Our  audit  revealed  that  improvements  are  needed  in: 

•  communication  between  the  two  ministries  charged  with  providing  safe 
and  secure  data  facilities. 

•  physical  and  environmental  security  controls. 

•  backup  power  supplies  and  control  processes. 


Facilities  risk 
unauthorized 
access,  fires, 
floods 


The  deficiencies  observed  may  allow  unauthorized  access — either  malicious  or 
inadvertent — to  government  information.  They  also  expose  these  facilities  to 
environmental  threats  such  as  fires  or  floods. 


Service  Alberta 
and  Ministry  of 
Infrastructure  must 
collaborate 


The  ministries  of  Service  Alberta  and  Infrastructure  need  to  collaborate  to 
ensure  that  policies  and  procedures  are  effectively  designed,  implemented,  and 
communicated,  so  that  staff  is  aware  of  their  roles  and  responsibilities.  Data 
facilities  need  improvements  to  their  physical  and  environmental  security 
controls  to  ensure  they  are  able  to  withstand  and  protect  against  unauthorized 
access  and  environmental  threats. 


Through  effective  security  controls  at  data  facilities,  the  risk  of  loss  or 
misappropriation  of  information  can  be  significantly  reduced. 
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Need  to  protect 
both  transmitted 
and  stored 
information 


With  the  proliferation  of  the  Internet,  electronic  commerce  and  electronic 
access  to  government  services,  information  security  is  becoming  increasingly 
important.  It  is  important  not  only  to  protect  information  from  threats  while  it  is 
in  transit  over  the  Internet,  but  also  while  it  is  in  storage  within  government  data 
facilities. 


Security  standards 
missing  or  not 
followed 


Central  facility 
may  solve 
problems 


Four 

recommendations 


Acceptable  physical  and  environmental  security  standards  did  not  exist  in  all 
data  facilities.  Where  standards  did  exist,  employees  were  not  always  following 
them.  Every  facility  tested  had  gaps  in  controls  over  the  protection  of 
information  and  computer  hardware. 

Consolidating  servers  and  other  network  devices  from  different  data  facilities 
into  a  central  facility  may  help  solve  some  of  these  problems.  By  doing  this  the 
GoA  could  ensure  that  there  are  adequate  physical  and  environmental  security 
controls  in  place  and  that  they  are  consistently  met.  This  is  easier  and  more 
efficient  to  do  at  one  location  rather  than  at  many. 

We  made  the  following  four  recommendations  to  management  to  better  protect 
data  facilities  and  reduce  the  risk  of  loss  or  misappropriation  of  data: 

1 .  Increase  collaboration  at  shared  data  facilities  between  the  ministries  that 
use  them  to  identify  potential  risks  and  improvements. 

2.  Ensure  that  all  critical  equipment  is  connected  to  appropriate  backup  power 
supplies  in  case  of  a  power  failure. 

3.  Strengthen  physical  security  to  deter  unauthorized  individuals  from 
entering  a  data  facility. 

4.  Maintain  environmental  controls  to  protect  equipment  from  unexpected 
environmental  hazards. 


Are  data  facilities 
properly  protected 


Evaluated  physical 
and  environmental 
controls 


4.2  Audit  objectives  and  scope 

Our  objective  was  to  assess  if  data  facilities  across  the  GoA  had  adequate 
security  measures  in  place  by  determining  if  they  had: 

•  physical  security  policies  and  procedures  for  protecting  government  assets. 

•  physical  security  policies  consistent  with  GoA  standards. 

•  implemented  controls  to  protect  assets  from  environmental  threats. 

•  implemented  controls  to  protect  assets  from  theft,  damage  or 
misappropriation. 

•  a  process  to  monitor  physical  security  controls  (see  section  5:  Glossary). 

We  examined  data  facilities  at  Alberta  Government  Provincial  buildings, 
Alberta  ministries,  boards,  commissions  and  Post  Secondary  Institutes  (PSIs). 
Even  though  PSIs  are  not  the  direct  responsibility  of  Service  Alberta,  our  report 
includes  them  to  ensure  they  meet  minimum  security  requirements.  Our  audit 
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Physical  security 

previously 

reviewed 


Data  facilities 
need  protection 

Safeguards  range 
from  locks  to 
biometric 
authentication 


Backup  power 
supplies  and 
environmental 
controls  typical 


Financial  legal, 
and  reputational 
risks 


Ministry  of 
Infrastructure 
maintains 
buildings 


consisted  of  evaluating  data  facilities  against  a  checklist  of  best  practices  for 
physical  and  environmental  controls. 

We  did  not  examine  the  overall  physical  security  of  the  buildings.  An  audit  on 
the  physical  security  of  government  buildings  was  reported  in  our  2002-2003 
Annual  Report  (No.  28,  page  187).  Our  audit  this  year  was  limited  to  the 
facilities  that  housed  computer  equipment. 

Between  October  2007  and  June  2008,  we  inspected  77  data  facility  across 
Alberta: 

•  39  were  shared  facilities  in  provincial  buildings. 

•  4  were  non-shared  facilities  in  provincial  buildings. 

•  34  were  ministry,  board,  commission,  college,  and  university  facilities. 

4.3  Protecting  data  facilities 

A  data  facility  stores  the  computer  equipment  and  information  systems  of  an 
organization.  Much  like  a  house,  a  facility  needs  measures  and  safeguards  in 
place  to  protect  the  valuables  within  from  being  misappropriated  or 
inadvertently  damaged,  and  to  prevent  against  damage  from  environmental 
hazards.  Just  as  leaving  a  house  and  its  valuables  unsecured  is  not  prudent,  nor 
is  leaving  data  facilities  unprotected.  Safeguards  can  be  as  simple  as  having 
locks  on  doors,  or  as  complex  and  elaborate  as  biometric  authentication  (see 
section  5:  Glossary). 

A  data  facility  that  houses  the  computer  equipment  and  the  information  systems 
and  data  of  an  organization  will  typically  have  backup  power  supplies,  backup 
Internet  connections,  special  security  devices  and  environmental  controls  such 
as  air  conditioning  and  fire  suppression  systems  to  ensure  the  resiliency,  and 
environmental  well-being,  of  the  facility. 

Data  facilities  usually  contain  critical  and  sensitive  corporate  and  individual- 
specific  information,  so  a  security  breach  can  have  a  serious  and  often  long- 
lasting  effect  on  organizations.  These  can  be  in  the  form  of  financial  and  legal 
implications,  as  well  as  loss  of  credibility  and  reputation  of  the  organization. 

The  Ministry  of  Infrastructure  is  responsible  for  maintaining  the  physical 
security  of  all  government  buildings.  Section  7.4  of  the  Government  of  Alberta 
Information  Technology  Baseline  Security  Requirements  states  that: 
Departments  must  ensure  the  physical  protection  of  electronic  equipment, 
systems  and  media  from  both  physical  and  environmental  threats. 
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But  ministries 
must  protect  data 


Service  Alberta 
manages  shared 
data  facilities  for 
42  of  56 
government 
buildings 


Facilities  lack 
effective  controls 

Standards  not 
followed 

Access  not 
monitored 


Ministries  usually  employ  a  series  of  physical  and  environmental  controls, 
coupled  with  effective  operating  policies  and  procedures  to  protect  their  data 
facilities  and  to  ensure  the  business  continuity  and  confidentiality  of  the 
ministry's  information. 

The  Ministry  of  Service  Alberta  manages  the  data  facilities  of  42  out  of  the  56 
provincial  buildings  in  an  arrangement  called  a  Shared  Data  Facility  (SDF).  The 
facilities  range  from  full  data  facilities  to  small  network  closets  (see  section  5: 
Glossary).  For  non-shared  facilities,  Service  Alberta  may  also  have  separate 
arrangements  with  ministries  to  manage  their  computer  equipment  but  not  the 
facility. 

4.4  Criteria  and  conclusions 

In  many  instances,  data  facility  controls  were  either  not  present  or  not  operating 
effectively  to  protect  information  and  computer  hardware  from  loss  or  damage. 
Standards  exist  for  shared  data  facilities  but  they  were  not  always  followed.  In 
almost  all  cases,  there  were  no  mechanisms  to  monitor  access  to  the  data 
facility  or  determine  whether  the  environmental  controls  were  functioning 
appropriately. 

The  following  table  shows  the  general  criteria  that  we  used  to  inspect  each 
facility  and  the  results  of  the  inspection: 


Criteria 

Conclusion 

Related 
Recommendations 

Met 

Partly 
Met 

Not 
Met 

Policy  and  procedures 

Page  84 

Backup  power 

Page  85 

Physical  security 

Page  87 

Restricted  access  and  monitoring 

✓ 

Page  87 

Environmental  protection 

Page  89 

Procedures  lack 
sufficient  detail 


Policy  and  procedures — partly  met 

A  policy  for  access  to  the  shared  data  facilities  did  exist.  However,  this  criterion 
was  only  partly  met  because  the  procedures  did  not  go  into  sufficient  depth.  For 
example  the  policy  indicates  that: 

•  the  site  owner  should  change  the  keys  or  combinations  as  required  but  the 
procedures  do  not  specify  an  acceptable  frequency. 

•  all  entry  and  exit  events  must  be  logged  but  it  doesn't  indicate  who  is 
responsible  for  logging  the  visitors'  information. 
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Backup  power 
allows  computer 
equipment  to  shut 
down  gracefully 


Backup  power — partly  met 

The  "Policy  for  Physical  Access  of  Shared  Service  Alberta  Data  Facilities " 
from  Service  Alberta  states  that  SDF  users  are  responsible  for  their  own  Backup 
power.  This  criterion  was  partly  met — 38%  of  computer  equipment  in  shared 
data  facilities  were  not  appropriately  connected  to  a  backup  power  supply. 


Backup  power  supplies  protect  computer  equipment  from  utility  power  failure 
and  potential  damage.  Due  to  the  remoteness  of  some  of  the  shared  data 
facilities,  and  high  likelihood  of  power  failure  in  these  areas,  backup  power 
supplies  are  crucial. 


Backup  power 
gives  time  to  save 
data 


Backup  power  supply  is  critical  for  ongoing  operations  and  to  continue  to 
provide  services  to  Albertans.  If  a  power  failure  occurs,  affected  entities  with  a 
backup  power  supply  have  time  to  properly  shut  down  computer  equipment 
without  damaging  the  equipment  or  losing  data. 


Weak  controls  to 
keep  unauthorized 
people  out  and 
monitor  access 


Physical  security — partly  met 

The  "Policy  for  Physical  Access  of  Shared  Service  Alberta  Data  Facilities " 
from  Service  Alberta  states  that  all  SDFs  must  be  behind  a  locked  door,  and 
facility  owners  are  responsible  for  changing  the  lock  combination  or  keys. 
Although  all  the  shared  data  facilities  we  visited  were  behind  locked  doors,  this 
criterion  was  only  partly  met  because: 

•  there  were  inadequate  controls  to  monitor  and  review  access. 

•  facility  walls  and  hinges  were  inadequately  designed. 

•  windows  were  not  adequately  protected. 

•  alarm  systems  had  passwords  written  on  the  panels. 


Sign-in  sheets 
ineffective 


Restricted  access  and  monitoring — not  met 

The  "Policy  for  Physical  Access  of  Shared  Service  Alberta  Data  Facilities " 
from  Service  Alberta  states  that  all  access  to  SDFs  must  be  logged.  Visits  to  a 
SDF  must  be  scheduled  by  contacting  the  Service  Alberta  representative  and 
tracked  through  a  sign-in  sheet.  This  criterion  was  not  met. 


Although  there  were  procedures  from  Service  Alberta  to  restrict  access,  the 
sign-in  process  used  was  ineffective  because  visitors  were  allowed  to  sign  in 
without  independent  verification  of  their  identification. 


Smoke  detectors 
missing 


Environmental  protection — partly  met 

The  "Policy  for  Physical  Access  of  Shared  Service  Alberta  Data  Facilities " 
from  Service  Alberta  states  that  the  Project  Manager  and  Service  Alberta  Data 
Centre  (see  section  5:  Glossary)  staff  will  identify  air  conditioning  and  power 
requirements.  This  criterion  was  only  partly  met  because  44%  of  the  shared  data 
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Inadequate 
temperature  and 
humidity  controls 


facilities  did  not  have  adequate  temperature  or  humidity  controls,  or  appropriate 
monitoring.  In  addition,  we  did  not  find  fire  or  smoke  detectors  in  41%  of  the 
shared  facilities  and  28%  of  the  non-shared  facilities. 


49  criteria  tested 
in  each  facility 


Summary  of  criteria  results 

For  each  shared  and  non-shared  data  facility,  we  tested  49  criteria  in  the  areas 
of  policies  and  procedures,  environmental  protection,  physical  security, 
restricted  access  and  backup  power. 

We  divided  our  assessment  between  facilities  that  were  shared  by  multiple 
ministries  and  those  that  were  not  shared.  The  tables  show  the  criteria  that  had 
the  highest  percentage  of  non-compliance. 


Criteria  assessed  at  shared  data  facilities: 


Criteria  checklist 
for  shared  data 
facilities 


Checklist  criteria 


percentage  of  non-compliance 


Unsuccessful  attempts  into  the  data  center  are  reviewed 

The  data  center  doors  have  a  timed  alarm 

Access  into  the  data  center  is  reviewed  semi-annually 

Entry  into  the  data  center  is  auditable  (badges,  access  cards,  etc) 

The  data  center  has  adequate  drainage 

The  data  center  is  cleaned  on  a  regular  basis 

Windows  properly  secured 

Manual  fire  extinguishers  are  present  in  the  data  center 

Walls  within  the  data  center  extend  to  the  structural  ceiling 

Temperature  reading  (21-23)°C  Alarm  threshold  (15-25)°  inside  the  data  center 

Smoke/heat  detectors  installed  in  the  data  center 

Appropriate  backup  power  is  available  for  the  data  center 


97% 
97% 
97% 
95% 
92% 
62% 
60% 
49% 
49% 
44% 
41% 
38% 


Table  1:  Shared  facilities 


Criteria  assessed  at  non-shared  data  facilities: 


Criteria  checklist 
for  non-shared 
data  facilities 


Inadequate 
protection  of 
facilities 


Checklist  criteria 


percentage  of  non-compliance 


Access  into  the  data  center  is  reviewed  quarterly 

All  incidents  (alarms,  alerts,  etc)  are  periodically  reviewed 

The  data  center  is  monitored  by  cameras 

Fire  suppression  override  controls  exist 

Moisture  detectors  installed  in  the  appropriate  places 

UPS  system  tested  and  monitored  regularly 

Entry  into  the  data  center  is  auditable  (badges,  access  cards,  etc) 

Humidity  and  temperature  monitoring  and  recording  devices  exist 

The  data  center  uses  cross  zoned  fire  suppression  systems 

Walls  within  the  data  center  extend  to  the  structural  ceiling 

Smoke/heat  detectors  installed  in  the  data  center 


84% 
81% 
71% 
67% 
50% 
50% 
49% 
45% 
34% 
33% 
28% 


Table  2:  Non-shared  facilities 
The  results  in  tables  1  and  2  indicate  that  government  entities  are  not  adequately 
protecting  information  resources  from  accidental  damage,  unauthorized  access 
to  sensitive  information,  or  theft  of  computer  hardware. 
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4.5  Recommendations 

4.5.1   Increasing  collaboration  by  ministries 
Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta  and  the  Ministry  of 
Infrastructure  work  in  conjunction  with  all  ministries  and  through  the 
Chief  Information  Officer  (CIO)  Council  to  improve  physical  and 
environmental  security  controls  of  data  facilities  by: 

•  improving  communication  of  responsibilities  between  ministries. 

•  establishing  government-wide  minimum  physical  and  environmental 
standards  for  data  facilities. 


Service  Alberta 
inspected  data 
facilities  it 
operates 


Background 

In  2007,  Service  Alberta  reviewed  all  data  facilities  for  which  it  is  responsible. 
Not  all  government  data  facilities  are  managed  or  operated  by  Service  Alberta. 
However,  all  facilities  are  expected  to  implement  appropriate  physical  and 
environmental  controls. 


We  inspected 
other  facilities 


We  assessed  the  physical  and  environmental  controls  at  facilities  not  reviewed 
by  Service  Alberta.  For  each  ministry  with  data  facilities  not  managed  by 
Service  Alberta,  we: 

•  reviewed  policies  and  procedures  for  physical  security. 

•  assessed  the  implementation  of  physical  and  environmental  controls  at  the 
facility. 


Government-wide 
policies  needed 

Well-designed 
processes  needed 


Criteria:  the  standards  we  used  for  our  audit 

•  There  should  be  government-wide  policies  and  procedures  for  physical  and 
environmental  security. 

•  Government  organizations  should  have  well-designed  control  processes  to 
ensure  that  staff  consistently  follows  established  policies,  procedures  or 
standards. 


Inconsistencies  in 

access-control 

procedures 


Duplicate  and 

underused 

facilities 


Our  audit  findings 

Access  control  procedures  in  every  ministry  were  inconsistent.  Server  rooms 
not  managed  by  Service  Alberta  had  to  follow  a  ministry's  security  policy.  In 
many  cases,  the  ministry  responsible  for  the  data  facility  did  not  have 
procedures  in  its  security  policy,  and  when  the  ministry  did  have  detailed 
procedures,  staff  was  not  aware  of  them. 

The  recent  reorganization  of  ministries  sometimes  resulted  in  excess  data 
facilities,  with  duplicate  and  underused  or  redundant  physical  and 
environmental  controls.  For  example,  two  data  facilities  each  had  their  own  air 
conditioning  units,  alarms,  and  locks.  Now,  due  to  a  lack  of  office  space  or 
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other  reasons,  one  of  these  facilities  is  used  as  a  storage  room  for  office  supplies 
and  files.  A  centralized  facility  would  reduce  this  duplication  and  increase  the 
security  and  cost  benefits  to  the  organizations. 


The  device  shown  in  Figure  2  is  in  a  shared 
data  facility  and  is  not  marked  with  any 
organization-specific  identification.  This 
illustrates  a  lack  of  coordination  among 
organizations  to  ensure  that  only  authorized 
devices  are  used.  ■ 

Figure  2:  Unmarked  device 
Implications  and  risks  if  recommendation  not  implemented 
Inconsistencies  in  policies  and  procedures  could  result  in  lapses  in  physical  and 
environmental  security  controls  making  them  ineffective. 

Poorly  planned  data-facility  requirements  can  result  in: 

•  duplication  and  inefficient  physical  and  environmental  controls. 

•  additional  and  unnecessary  costs. 

4.5.2  Backup  power  supplies 
Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta,  work  in  conjunction 
with  all  ministries  and  through  the  Chief  Information  Officer  (CIO) 
Council,  to  ensure  that  ministries  that  use  data  facilities  ensure  that 
connected  computer  equipment  has  a  sufficient  redundant  power  supply. 
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Background 

Power  failures  of  computer  and  supporting  environmental  systems  can  be 
caused  by  weather,  technical  malfunctions  or  accidents  by  staff  or  utility 
companies. 

An  uninterruptible  power  supply  (UPS)  is  a  device— usually  a  set  of  high 
capacity  batteries— that  maintains  a  safe  and  continuous  supply  of  electric 
power  to  connected  equipment  by  supplying  power  from  a  separate  source 
when  power  provided  by  an  electric  utility  is  not  available.  A  UPS  can  also 
allow  an  organization  additional  time  to  safely  shut  down  computer  systems  to 
prevent  loss  of  data  or  damage  to  the  equipment. 

For  each  data  facility,  we  determined  if: 

•  a  UPS  or  other  backup  power  source  existed. 

•  all  computer  equipment  was  appropriately  connected  to  the  backup  power 
source. 
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•  A  data  facility  should  have  a  backup  power  supply  in  case  of  loss  of  power. 

•  All  critical  devices  should  be  connected  to  the  backup  power  supply. 

•  The  backup  power  supply  should  be  tested  regularly  (at  least  annually) . 


Equipment  not 

properly 

connected 


Our  audit  findings 

Only  62%  of  computer  equipment  in  shared  data  facilities  was  appropriately 
connected  to  a  UPS.  UPSs  that  did  exist  in  shared  data  facilities  were  underused 
because  only  some  of  the  computer  equipment  was  connected  to  it. 


UPSs  in  shared  data  facilities  were  incorrectly  connected;  in  one  case,  a  UPS 
was  connected  to  a  power  bar  that  was  connected  to  the  wall  outlet  instead  of 
the  other  way  around. 


Devices  insecurely 
connected  directly 
to  outlet,  with  no 
UPS 


Figure  3  shows  a  data  facility  where 
devices  were  connected  directly  and 
insecurely  to  the  utility  outlet.  Some  of 
these  devices  are  essential  to  the 
network  operation. 


Figure  3:  Utility  outlets 


UPS  present-but  jn  the  same  facility,  an  uninterruptible 

not  used  ,  ,  ,    ,  , 

power  supply  was  present,  but  no  devices 

connected  to  it  (see  figure  4) . 


Figure  4:  Unused  UPS 


Implications  and  risks  if  recommendation  not  implemented 

Disrupted  service  Computer  network  equipment  without  a  backup  power  supply  will  fail  during  a 

cind  lost  dcitci"  risks 

of  no  UPS  power  disruption  and  result  in  the  loss  of  key  data  and  disruption  of  service  to 

employees  and  customers. 
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4.5.3  Physical  security 
Recommendation  No.  8 

We  recommend  that  the  Ministry  of  Service  Alberta  work  with  the 
Ministry  of  Infrastructure,  in  conjunction  with  all  ministries  and  through 
the  Chief  Information  Officer  (CIO)  Council,  to  improve: 

•  physical  security  controls  at  data  facilities. 

•  logging  of  access  to  data  facilities  by  implementing  effective  controls  to 
track  access. 


Controls  to 
prevent  or  limit 
access  to  facilities 
and  data 


Did  controls  exist 

Are  controls  in 
place 


Background 

Physical  security  controls  are  safeguards  or  countermeasures  that  prevent,  or 
limit  only  to  authorized  users,  access  to  a  facility,  resource,  or  information 
stored  in  the  facility.  They  can  be  as  simple  as  a  locked  door  or  as  elaborate  as 
multiple  layers  of  card  readers,  security  guards  and  monitoring  equipment. 


We  tested  a  sample  of  data  facilities  within  Ministries,  Boards,  Commissions 
and  post  secondary  institutions  (PSIs) .  For  each  data  facility,  we  determined  if: 
adequate  physical  controls  existed, 
appropriate  access  controls  were  in  place. 

Criteria:  the  standards  we  used  for  our  audit 

The  design  of  the  data  facility  should  prevent  unauthorized  users  from 
subverting  access-monitoring  controls. 

A  data  facility  should  restrict  access  to  the  facility  to  those  that  need  access 
to  do  their  job. 

All  access  to  the  facility  should  be  monitored  and  reviewed. 


Many  facilities 
with  inadequate 
design 

Door  hinges  on 
outside  mean  door 
can  be  removed 


Our  audit  findings 

Forty  nine  percent  of  shared  data  facilities  and  33%  of  all  others  did  not  have 
adequately  designed  data  facilities. 


Some  of  the  data  facilities  had  doors  with  unpinned 
external  hinges  that  could  be  removed  from  the 
outside  (see  Figure  5). 


Figure  5:  Exterior  hinged 
door  and  raised  floor 
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Some  had  walls  that  did  not  extend  to  the 
structural  ceiling;  others  had  raised  floors 
with  walls  that  did  not  extend  to  the 
structural  floor  to  prevent  someone  from 
climbing  over  or  under  them  (see 
Figure  6) . 


Figure  6:  Access  to  ceiling 


Sixty  percent  of  shared  data  facilities  and  40%  of  all  others  did  not  have 
secured  windows.  At  one  facility,  not  managed  by  Service  Alberta,  a  network 
edge  device  was  found  in  the  photocopy/file  common  room.  The  device  allows 
a  user  to  connect  to  the  government  network. 


We  also  found  2  alarm  control  panels  at  shared 
data  facilities  with  stickers  with  the  passwords 
written  on  them  (see  figure  7) . 


Figure  7:  Alarm  panel  with  password 


Key  and  cipher 
locks  weaken 
access  controls 


Ninety  five  percent  of  shared  data  facilities  and  49%  of  ministry,  boards, 
colleges  and  commissions  were  secured  with  either  a  key  lock  or  cipher  lock.  If 
keys  are  duplicated  or  cipher  lock  codes  are  shared  amongst  staff,  it  is  difficult 
to  control  access  and  determine  who  has  accessed  the  room. 


Sign-in  controls 
not  monitored 


Although  procedures  exist  to  restrict  access,  the  sign-in  sheets  used  by 
ministries  were  ineffective  because  visitors  were  not  monitored  when  filling  out 
the  log.  They  could  enter  false  information,  write  illegibly  or  enter  inaccurate 
details.  At  almost  all  locations,  we  could  sign  ourselves  in,  making  this  control 
ineffective. 


Unauthorized 
access  and  theft 
and  fraud  possible 


Financial  loss, 
legal  repercussions 
and  loss  of 
credibility 


Implications  and  risks  if  recommendation  not  implemented 

Inadequate  physical  access  controls  increase  the  risk  of  unauthorized  people 
entering  the  server  room,  which  may  result  in  unauthorized  changes  to  critical 
financial  information  or  theft  of  servers,  data,  and  related  assets. 

Without  well-designed  and  effective  access  logging  controls  at  data  facilities, 
organizations  cannot  ensure  the  accountability  of  staff  or  trace  access  back  in 
case  of  an  access  breach.  Unintended  physical  exposures  can  result  in  financial 
loss,  legal  repercussions  or  loss  of  credibility. 
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4.5.4  Environmental  security 
Recommendation 

We  recommend  that  Ministry  of  Service  Alberta  work  with  ministries  to 
improve  the  environmental  security  controls  at  shared  data  facilities. 

Background 

Environmental  exposures  are  due  primarily  to  naturally  occurring  events,  such 
as  lightning  storms,  tornados  and  other  types  of  extreme  weather  conditions  or 
other  events  such  as  flooding  due  to  a  pipe  burst  or  overheating  due  to 
inadequate  airflow  or  fire. 

Environmental  controls  in  data  facilities  are  necessary  to  maintain  temperature 
and  humidity  within  specified  computer  equipment  standards.  Computer 
equipment  requires  temperatures  within  an  acceptable  range  to  operate 
properly.  Sufficient  humidity  is  also  needed  to  reduce  the  risk  of  static 
discharge  which  may  damage  equipment. 

Fire  protection  and  suppression  is  another  area  covered  by  environmental 
security  standards.  Since  computer  equipment  operates  at  high  temperatures, 
there  is  a  risk  of  fire.  Fire  protection  and  suppression  should  also  be  a  part  of  an 
environmental  security  strategy  for  a  data  facility. 


We  tested  a  sample  of  data  facilities  for  ministries,  agencies,  boards, 
commissions  and  PSIs.  For  each  data  facility,  we  determined  if  there  were 
appropriate  environmental  conditions  and  controls  to  maintain  them. 

Criteria:  the  standards  we  used  for  our  audit 

•  Each  data  facility  should  have  documented  standards  for  temperature, 
humidity  and  cleanliness. 

•  Data  facilities  should  be  monitored  to  ensure  that  standards  are  followed. 

•  Data  facilities  should  have  appropriate  fire-detection  and  suppression 
systems. 


No  documented 
standards 


Our  audit  findings 

Shared  data  facilities  did  not  have  any  documented  minimum  standards  for 
temperature,  humidity  or  cleanliness. 
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Forty-four  percent  of  shared  data  facilities  were  not 
operating  within  ideal  temperature  ranges. 

Figure  8  depicts  the  temperature  in  one  shared  data 
facility  had  reached  27  °C-well  above  the 
recommended  range. 


Figure  8:  Temperature  of 
server  room 


Risk  of 
overheating 
compounded  by 
lack  of  heat  and 
smoke  detectors 


In  Figure  9,  a  fan-rather  than  a  recommended  cooling 
system-is  cooling  a  server.  The  risk  of  overheating  is 
compounded  by  the  fact  that  41%  of  shared  data  facilities 
lacked  heat  or  smoke  detectors. 


Cleanliness 
problem 


Figure  9:  Fan  cooling  servers 

Sixty-two  percent  of  shared  data  facilities  had  empty  boxes,  garbage  and  old 
computer  parts.  Most  facility  owners  were  unsure  whose  responsibility  it  was  to 
clean  the  rooms. 
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Implications  and  risks  if  recommendation  not  implemented 

Significant  changes  in  the  environmental  conditions  of  the  data  facility  can 
reduce  the  availability  of  computer  equipment  and  harm  the  integrity  of  data. 
Ministries  may  experience  a  significant  disruption  of  operations  because  of  data 
and  information  being  corrupted  or  lost. 

5.  Glossary 

A  way  to  uniquely  identify  a  person  using  physical  or  behavioral  traits.  An 
example  uses  your  fingerprint  and  a  fingerprint  scanner  to  identify  a  user  and 
allow  them  to  access  a  computer  system. 

A  facility  to  house  computer  systems  and  associated  components  and 
equipment,  including  network,  telecommunication  and  storage  systems.  The 
facility  typically  has  redundant  power  supplies,  generators,  environmental 
controls  and  security  devices. 

A  logical  grouping  of  computers  and  devices  on  a  computer  network. 

A  safeguard  or  countermeasure  put  in  place  to  reduce  risks  facing  an  IT 
environment.  Examples  of  logical  IT  controls  include  authenticating  users  into  a 
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computer  system,  antivirus  software,  restricting  access  to  Internet  sites  and 
firewalls  protecting  computer  networks. 

A  Local  Area  Network  is  a  computer  network  that  covers  a  small  geographic 
area  like  an  office,  building  or  group  of  buildings. 

A  storage  room  or  closet  with  network  equipment  for  a  government  building  or 
office.  The  room  is  smaller  than  a  Shared  Data  Facility  and  typically  contains 
network  and  telecommunications  equipment  for  a  floor  or  small  office  area. 

A  safeguard  or  countermeasure  put  in  place  to  reduce  risk.  Examples  of 
physical  security  controls  include  locks  on  doors,  closed  circuit  TV  cameras, 
fences  around  buildings  and  guards  at  gates. 

A  computer  that  provides  services  or  resources  to  other  computers. 

A  government  office  or  building  that  houses  more  than  one  ministry's  computer 
equipment.  A  facility  is  under  Service  Alberta's  control. 

A  technique  used  by  hackers  where  the  attacker  walks  around  buildings  with  a 
laptop  or  personal  digital  assistant,  searching  for  unsecured  wireless  access 
points. 
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Alberta's  response  to  climate 
change 

1.  Summary 

What  the  Alberta  government  committed  to 

In  2002,  the  Alberta  government  committed  in  Albertans  &  Climate  Change: 

Taking  Action,  its  climate-change  plan,  to: 

"a  long-term  goal  of  preventing  atmospheric  concentrations  of  greenhouse 
gases  from  reaching  levels  that  have  negative  impacts  on  people  and 
ecosystems." 

The  government  also  committed  to  developing  the  strategies  needed  for  Alberta 
to  adapt  successfully  to  changes  in  climate. 

In  2008,  the  government  further  committed  to  these  goals  by  creating  Alberta  s 
2008  Climate  Change  Strategy.  The  Strategy  updates  and  replaces  the  2002 
Plan.  The  government  established,  in  these  documents,  both  emissions  intensity 
and  absolute  reduction  targets  for  provincial  emissions. 

What  we  examined 

While  other  ministries  contribute  to  initiatives  that  affect  greenhouse  gas 
emissions,  Alberta  Environment  was  responsible  for  creating  and  updating 
Albertans  &  Climate  Change:  Taking  Action  (2002  Plan)  and  Alberta  s  2008 
Climate  Change  Strategy.  The  Ministry  is  also  responsible  for  enforcing  the 
requirements  for  companies  under  the  Climate  Change  and  Emissions 
Management  Act  and  the  Specified  Gas  Emitters  Regulation,  and  for  reporting 
Alberta's  progress  toward  meeting  the  targets. 

Our  audit  examined  the  government's  systems  to  develop  the  2008  Strategy  and 
to  monitor  and  report  actions  indicated  in  the  2002  Plan  excluding  the 
Ministry's  processes  to  enforce  the  Specified  Gas  Emitters  Regulation.  The 
second  phase  of  this  audit  will  examine  the  Ministry's  enforcement  processes 
and  will  be  included  in  our  next  public  report. 

Conclusion 

For  Albertans  to  have  confidence  that  climate-change  goals  can  be  met  cost- 
effectively,  management  systems  must  improve. 

The  2008  Strategy  sets  provincial  emissions-reduction  targets  and  provides  a 
vision,  with  some — but  not  all — of  the  actions  needed  to  achieve  the  targets. 
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Now,  the  government  needs  a  master  implementation  plan  with  the  specific 
actions  to  allow  it  to  meet  the  targets,  and  with  regular  progress  reporting.  For  a 
reasonable  prospect  of  actually  meeting  the  targets,  the  implementation  plan 
should  clearly  state  the  milestone  dates  for  key  decisions.  For  example — when 
research  needs  to  be  completed  and  what  choices  have  to  be  made  from  the  best 
options  available. 

The  Strategy  forecasts  that  30%  of  reductions  will  come  from  improving 
conservation  and  energy  efficiency  and  increasing  the  use  of  fuels  that  produce 
fewer  emissions.  The  specific  actions  to  deliver  these  results  are  not  yet  known. 
A  master  implementation  plan  would  clarify  when  Albertans  need  to  be  clear  on 
the  viability  of  these  solutions  and  the  cost.  We  believe  that  for  the  government 
to  meet  its  targets,  it  needs  an  implementation  plan  as  a  matter  of  urgency. 

The  Ministry  needs  to  establish  the  criteria  for  making  these  choices  before 
developing  the  master  implementation  plan.  And  the  choices  should  be 
supported  by  an  analysis  that  indicates  that  the  actions  are  reasonably  likely  to 
help  the  government  meet  its  goals  and  targets. 

The  Ministry's  processes  for  monitoring  climate-change  plans  and  strategies 
also  need  to  be  improved.  When  we  examined  the  response  to  the  2002  Plan,  it 
was  clear  that  the  government  had  done  a  lot  of  work.  But  no  overall  system 
identified  and  tracked  the  status  of  the  government's  key  actions  or  evaluated 
their  results  in  meeting  climate-change  goals  and  targets. 

While  the  Ministry  provides  regular  performance  reporting  for  climate-change 
targets,  it  needs  processes  to  ensure  that  the  data  reported  is  reliable  and 
relevant. 

2.  Audit  objectives  and  scope 

Our  audit  objective  was  to  assess  whether  the  government  has  adequate  systems 
to  achieve  provincial  climate-change  goals  and  targets  and  the  requirements  of 
the  Climate  Change  and  Emissions  Management  Act  and  the  Specified  Gas 
Emitters  Regulation. 

The  Ministry  has  not  finished  reviewing  the  reports  required  from  companies 
under  the  Specified  Gas  Emitters  Regulation.  So  our  audit  is  divided  into  two 
parts: 

•     This  is  our  audit  of  systems  to  develop  and  report  on  climate-change  plans 
and  strategies.  We  also  examined  the  systems  used  to  monitor  actions 
indicated  in  the  2002  Plan  (excluding  the  processes  to  monitor  compliance 
with  the  Specified  Gas  Emitters  Regulation) . 
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•  We  will  report  our  audit  of  the  Specified  Gas  Emitters  program  in  our  next 
public  report  (in  April  2009). 

The  audit  covered  the  period  from  January  2001  to  July  2008. 

We  examined  the  systems  that  the  Ministry  of  Environment  used  to: 

•  monitor  and  report  the  2002  Plan. 

•  develop  Alberta  s  2008  Climate  Change  Strategy. 

We  also  examined  the  following  climate-change  programs  funded  by  other 
ministries: 

•  Energy  retrofit  in  Government  of  Alberta  buildings,  funded  by  Alberta 
Infrastructure. 

•  ME  first!  Program,  funded  by  Alberta  Municipal  Affairs. 

•  Bioenergy  program,  funded  by  Alberta  Energy. 

We  do  not  comment  on  the  actual  targets  the  Alberta  government  chose — that  is 
beyond  our  mandate.  Creating  emissions  targets  involves  balancing  significant 
environmental,  social,  and  economic  effects  and  is  the  responsibility  of  the 
Ministers  involved  and  the  Legislative  Assembly. 

3.  Criteria  and  conclusions 

We  assessed  adequacy  of  climate-change  systems  in  terms  of  three  general 
criteria  outlined  in  section  19  of  the  Auditor  General  Act  Do  the  necessary 
systems  exist?  Are  the  systems  well  designed?  Do  they  operate  as  they  should? 

Overall,  we  conclude  that  the  systems  exist,  but  they  need  better  design. 

We  defined  the  following  three  additional  criteria  to  guide  our  work.  The 
Ministry  agreed  with  these  criteria. 

Criterion  #  1 — set  measurable  goals  and  targets  for  the  provincial 
climate-change  approach  and  plan  what  is  needed  to  achieve  them 

This  criterion  was  partly  met.  The  government  established  measurable  goals 
and  targets  for  climate  change  and  a  high-level  strategy.  But  no  evidence  shows 
that  the  particular  actions  in  the  2008  Strategy  will  allow  Alberta  to  meet  these 
goals  and  targets. 

The  emissions  reduction  actions  in  the  2008  Strategy  are  grouped  under  three 
focus  areas — conservation  and  energy  efficiency,  carbon  capture  and  storage, 
and  greening  energy  production.  Emissions  reduction  targets  have  been  set  for 
each  focus  area.  (See  Appendix  4).  The  Ministry  has  not  yet  developed  the 
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Master  plan  to 
implement 
Strategy  needed — 
with  deadlines  and 
monitoring 


overall  criteria  to  select  actions  to  meet  the  target  reductions  for  each  focus 
area.  For  example,  the  Ministry  has  not  established  the  maximum  amount  it  will 
pay  per  tonne  of  emissions  reduction.  Nor  has  it  established  the  effect  the 
actions  should  have  on  GDP  or  done  an  analysis  to  ensure  that  the  actions 
selected  are  the  most  cost-effective  ones  or  result  in  the  fewest  negative 
impacts. 

The  2008  Strategy  acknowledges  that  further  decisions  need  to  be  made  and 
implementation  plans  need  to  be  developed,  including  a  plan  to  develop 
adaptation  strategies.  However,  except  for  carbon  capture  and  storage,  no 
document  states  when  research  needs  to  be  completed  and  choices  have  to  be 
made.  The  focus  areas  need  to  be  converted  into  a  master  implementation  plan 
with  deadlines  and  monitoring  before  Albertans  can  have  confidence  that 
Alberta  will  achieve  the  climate-change  goals  and  targets  cost-effectively.  See 
our  recommendation  in  section  4.1. 


Monitoring 
system  needed 


Criterion  #  2 — complete  the  actions  and  monitor  compliance  and 
progress  against  emissions  reduction  targets 

This  criterion  was  partly  met.  Some  actions  required  to  fulfill  the  2002  Plan 
were  included  in  the  Ministry's  operational  plans  and  in  the  operational  plans  of 
other  ministries.  But  no  overall  system  tracks  the  status  of  all  actions,  including 
actions  with  specific  targets,  nor  is  there  a  process  to  ensure  that  emissions 
reductions  were  evaluated  for  all  completed  actions.  See  our  recommendation 
in  section  4.2. 


Performance 
reporting  must  be 
accurate  and 
precise 


Criterion  #  3 — report  on  climate-change  results,  evaluate  the  results  and 
provide  feedback  to  decision  makers 

This  criterion  was  partly  met.  For  Albertans  to  understand  progress  on  climate 
change,  performance  reporting  should  be  accurate  and  easily  understood.  Each 
year,  the  Ministry  reports  Alberta's  progress  in  achieving  the  emissions 
intensity  target.  We  found  one  case  where  the  data  in  the  target  was  incorrect 
and  another  case  where  the  data  used  to  set  the  target  in  the  2008  Strategy  was 
not  consistent  with  the  absolute  emissions  incurred  for  that  year.  In  another 
case,  the  Ministry  reported  greenhouse  gas  reductions  that,  as  worded,  appears 
to  inaccurately  convey  reductions  in  emissions  intensity  as  absolute  emissions 
reductions.  See  our  recommendation  in  section  4.3. 


96 


Report  of  the  Auditor  General  of  Alberta— October  2008 


■ 

D 
D 


Environment 


Alberta's  response  to  climate  change 


4.  Recommendations 

4.1  Planning 

Recommendation  No.  9 

We  recommend  that  the  Ministry  of  Environment  improve  Alberta's 
response  to  climate  change  by: 

•  establishing  overall  criteria  for  selecting  climate-change  actions. 

•  creating  and  maintaining  a  master  implementation  plan  for  the  actions 
necessary  to  meet  the  emissions-intensity  target  for  2020  and  the 
emissions-reduction  target  for  2050. 

•  corroborating— through  modeling  or  other  analysis — that  the  actions 
chosen  by  the  Ministry  result  in  Alberta  being  on  track  for  achieving 
its  targets  for  2020  and  2050. 


Targets  set  to  cut 
emissions 


Key  dates:  2010 
and  2020 

Key  date:  2050 


Background 

In  the  2002  Plan  and  the  2008  Strategy,  and  in  the  Climate  Change  and 
Emissions  Management  Act,  the  government  committed  to  the  following 
targets: 

•  Emissions  intensity— reduce  this  by  20%  below  1990  levels  by  2010,  and 
by  50%  by  2020.  " 

•  Absolute  emissions— reduce  these  from  2005  levels.  Starting  in  2005, 
absolute  emissions  are  targeted  to  increase  up  to  2020,  and  then  to 
decrease.  The  ultimate  target  is  a  14%  reduction  of  2005  levels  by  2050- 
see  Appendix  4  on  page  107. 


Programs 
examined 


We  examined  the  following  programs,  created  or  continued  as  part  of 
government's  response  to  the  2002  Plan. 

•  The  Alberta  Climate  Change  Vulnerability  Assessment— these  studies 
assess  Alberta's  biophysical,  social,  and  economic  vulnerability  to  climate 
change. 

•  Bioenergy  program — the  Biorefining  Commercialization  and  Market 
Development,  the  Bioenergy  Infrastructure  Development  and  the 
Renewable  Energy  Producer  Credit  Program  grant  programs  were  part  of 
government's  $239-million  plan  to  encourage  growth  of  a  clean,  renewable 
fuel  industry  in  Alberta. 

•  Specified  Gas  Emitters  program — about  100  facilities  emitting  more  than 
100,000  tonnes  of  greenhouse  gas  (GHG)  annually  must  reduce  their 
emissions  intensity.  Facilities  that  miss  their  target  must  either  buy  an 
emissions  right  from  another  firm,  buy  a  certified  emissions  offset,  or  buy 
the  right  to  emit  from  the  government  by  contributing  to  the  province's 
Climate  Change  and  Emissions  Management  Fund. 
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Inputs  for  2008 
Strategy 


•  ME  first!— a  4-year  (2003-2006),  $100  million,  interest-free  loan  program 
offered  by  Alberta  Municipal  Affairs,  designed  to  help  municipalities  save 
energy,  reduce  greenhouse  gas  emissions,  and  replace  conventional  energy 
sources  with  renewable  or  alternative  sources.  The  program  provided 
$38.8  million  in  interest-free  loans  to  71  municipalities  for  84  projects  at  a 
program  cost  of  $5.0  million.  To  qualify  for  an  interest-free  loan, 
municipalities  had  to  show  how  projects  would  save  energy. 

•  The  energy  retrofit  performance  contract  program— initiated  in  1995  by 
Alberta  Infrastructure  as  a  part  of  the  Alberta  government's  participation 
in  Canada's  Climate  Change  Voluntary  Challenge  and  Registry  Program. 
In  2001,  the  Alberta  government  set  a  target  to  reduce  greenhouse  gas 
emissions  by  102  kilotonnes  of  carbon  dioxide  (C02)  below  1990  levels  in 
government-owned  buildings  by  2005. 

The  Ministry  used  computer-based  economic  modeling  and  consulted  with  the 
public,  experts  and  stakeholders  to  choose  targets  and  strategies  in  the  2008 
Strategy.  It  used  these  inputs  to  create  the  Strategy. 

Criteria:  the  standards  we  used  for  our  audit 

The  province  should: 

•  set  measurable  goals  and  targets  for  the  provincial  climate-change 
approach  and  plan  how  to  achieve  them. 

•  assess  cost-effectiveness  including  consideration  of  social,  economic  and 
other  environmental  impacts  when  choosing  projects  to  fulfill  the  Strategy. 

•  consider  free-rider  and  rebound  effects  when  forecasting  emissions 
reductions  resulting  from  incentive  programs. 

•  put  in  place  a  master  implementation  plan  for  the  2002  Plan  and  2008 
Strategy  that  indicates,  for  each  focus  area,  the  major  actions  required  and 
each  action's: 

•  deliverables  and  timing. 

•  required  resources. 

•  planned  effect  towards  meeting  Alberta's  emissions  targets. 


Cost-effectiveness 
not  always 
considered 


Our  audit  findings 

The  government  did  not  consistently  consider  cost-effectiveness  when  it 
decided  to  establish  climate-change  programs  to  fulfill  the  2002  Plan.  It  did 
consider  cost-effectiveness  for  the  energy  retrofit  program  and  for  the  Specified 
Gas  Emitters  program.  In  contrast,  the  costs  of  Me  First!  and  the  Bioenergy 
programs  were  known  at  the  planning  stages,  but  the  amount  of  emissions 
reductions  expected  at  the  planning  stage  of  the  programs  was  not  documented. 
We  have  made  a  separate  recommendation  (on  page  255)  to  the  Department  of 
Energy  to  evaluate  the  extent  of  the  reductions  bioenergy  programs  can  achieve. 
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Ministry  started 
implementation 
plan 


To  fulfill  the  2008  Strategy,  the  Ministry  started  an  implementation  plan  for  the 
energy  efficiency  and  conservation  focus  area.  The  costs,  timing,  and  expected 
reductions  were  indicated  for  most  of  the  proposed  actions.  The  Ministry  told 
us  it  got  expert  advice  on  projects,  which  reflected  knowledge  of  existing 
programs  and  experience  in  Alberta  and  nationally.  When  selecting  the  projects 
the  Ministry  also  ensured  the  projects  would  not  result  in  an  increase  in  energy 
prices  and  were  socially  acceptable. 


Overall  criteria  for 
selecting  projects 
not  yet  set 


The  Ministry  did  not  develop  the  overall  criteria  for  selecting  projects  used  to 
fulfill  the  2002  Plan  and  has  not  yet  developed  the  overall  criteria  for  selecting 
projects  to  fulfill  the  2008  Strategy.  For  example,  the  Ministry  has  not  set  the 
maximum  amount  it  will  pay  per  tonne  of  emissions  reduction.  Nor  has  it 
decided  on  the  effect  that  actions  should  have  on  GDP  or  employment,  or  the 
sectors  it  wants  to  affect. 


Ministry  does  not 
know  best  route  to 
achieve  reductions 


That  actions  will 
achieve  target  not 
corroborated 

Major  actions  not 
modeled 

Modeled  action 
not  included 


The  Ministry  has  also  not  decided  the  process  to  evaluate  the  free-rider  or 
rebound  effects  associated  with  incentive  programs.  Most  importantly,  it  has 
done  no  work  to  establish  that  the  actions  selected  are  the  most  cost-effective 
alternatives  or  result  in  the  fewest  negative  impacts  and  that,  accordingly, 
Albertans  are  getting  the  best  deal  possible  on  their  emissions  reductions. 

The  government  has  set  measurable  goals  and  targets  but  had  not  corroborated 
that  the  actions  chosen  for  the  2002  Plan  would  result  in  Alberta  achieving  the 
2010  and  2020  targets.  The  government  also  has  no  corroboration  that  the 
particular  actions  chosen  in  the  Strategy  are  likely  to  achieve  the  2050  target. 
While  the  Ministry  used  computer  based  modeling  in  developing  the  2008 
Strategy,  major  actions  in  the  2008  Strategy  were  not  explicitly  modeled. 
Specifically,  scenarios  that  included  technology  subsidies  and  other  incentives, 
capacity  building,  the  removal  of  barriers  to  technology  deployment,  or  raising 
awareness  were  not  modeled.  And  the  actions  that  the  model  indicated  could 
result  in  the  reductions  were  not  in  the  2008  Strategy. 


The  actions  included  in  the  model  but  not  in  the  2008  Strategy  consist  of: 

•  an  escalating  economy-wide  carbon  charge  increasing  from  $15/tonne 
(now),  to  $30/tonne  in  2020,  $60/tonne  in  2030,  and  $100/tonne  in  2050. 

•  a  strict  regulation  that  all  large,  new  industrial  facilities  are  required  to 
incorporate  carbon  capture  and  storage  by  2015  wherever  possible. 


Target  based  on 
other  actions 


The  14%  reduction  target  in  the  Strategy  is  based  on  actions  that  are  more 
stringent  than  the  actions  the  Strategy  chose. 
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The  Ministry  told  us  that  the  Strategy  identifies  specific  actions — programs  and 
processes — needed  in  the  shorter-term  to  maintain  existing  momentum  or  to 
initiate  action  in  key  areas  that  the  province  needs  to  pursue  and  build  on  to 
achieve  the  climate-change  objectives. 

The  Strategy  acknowledges  that  implementation  plans  need  to  be  developed  for 
both  the  emissions  reduction  and  adaptation  actions.  It  sets  a  deadline  of  fall 
2008  for  the  Carbon  Capture  and  Storage  Development  Council  to  prepare  an 
implementation  plan.  If  successful,  that  plan  could  result  in  about  70%  of  the 
reductions  required.  But,  there  is  no  deadline  for  when  the  other  emissions- 
reduction  actions  will  be  identified.  They  are  the  ones  that  will  ultimately  result 
in  Alberta  achieving  the  remaining  30%  of  reductions  required.  Nor  is  there  a 
deadline  for  implementing  the  actions  needed  for  the  province  to  adapt 
successfully  to  climate  changes. 

Implications  and  risks  if  recommendation  not  implemented 

Alberta  could  spend  a  lot  of  money  but  not  achieve  emissions  targets.  Or  it 
could  achieve  targets,  but  not  cost-effectively. 

4.2  Monitoring  processes 
Recommendation  No.  10 

We  recommend  that  for  each  major  action  in  the  2008  Climate  Change 
Strategy,  the  Ministry  of  Environment  evaluate  the  action's  effect  in 
achieving  Alberta's  climate  change  goals. 

Background 

The  Specified  Gas  Emitters  program,  the  energy  retrofit,  ME  first!,  the 
Bioenergy  program  and  the  adaptation  research  studies  were  some  of  the 
government's  actions  done  to  fulfill  the  2002  Plan.  "Facts  about  climate 
change"  is  an  accountability  report  published  by  the  Ministry  that  explains  the 
climate-change  issue  and  actions  the  government  took  in  response  to  the 
2002  Plan. 

Criteria:  the  standards  we  used  for  our  audits 

The  government  should  complete  the  actions  in  its  2002  Plan  and  2008  Strategy 
and  monitor  compliance  and  progress  against  emissions-reduction  targets. 

Our  audit  findings 

In  its  2002  Plan,  the  government  committed  to  about  50  actions.  Some  actions 
were  included  in  the  Ministry's  operational  plans  and  in  operational  plans  of 
other  ministries.  But  there  was  no  overall  system  to  track  the  status  of  all 


Strategy  focus  on 
short-term 


Deadline  for  other 
30%  reductions 
needed 


Missed  targets, 
wasted  money 


Several  programs 
in  this  report 


No  overall 
monitoring  system 
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Information  on 
ME  first!  still 
needed 


Ministry 
developing 
monitoring  system 
for  Strategy 


actions  (including  actions  with  specific  targets),  the  cost  to  government,  or  the 
planned  contribution  in  meeting  Alberta's  target. 

For  the  five  actions  we  specifically  examined,  we  found  that: 

•  the  vulnerability-assessment  study  was  completed. 

•  the  specified  gas  emitters  program  was  implemented. 

•  the  energy  retrofit  project  was  completed  and  the  Department  of 
Infrastructure  had  compiled  information  to  show,  in  total  for  this  and  other 
energy  efficiency  actions,  both  the  cost  and  energy  savings  and  that  they 
had  met  their  2005  emissions-reduction  target. 

•  the  bioenergy  program  has  been  established  and  grants  are  being  given  out 
under  it. 

•  the  ME  first!  Program  was  completed,  but  information  about  the  actual 
overall  emissions  reductions  had  not  been  obtained  by  the  Department  of 
Municipal  Affairs.  We  have  made  a  separate  recommendation  to  the 
Department  on  this — see  page  335. 

The  Ministry  is  developing  a  monitoring  system  for  the  2008  Strategy.  It  has 
proposed  a  governance  structure  for  implementing  the  2008  Strategy  that 
includes  a  cross-ministry  Deputy  Ministers'  committee,  an  Assistant  Deputy 
Ministers'  committee,  and  working-team  committees.  The  terms  of  reference 
for  these  committees  had  not  been  established  when  we  finished  this  audit. 


Missed  actions 
and  targets 
possible 


Implications  and  risks  if  recommendation  not  implemented 

Without  an  overall  monitoring  system  that  evaluates  whether  key  actions  have 
been  implemented,  and  their  effect,  actions  may  not  be  implemented  and 
government  targets  may  not  be  met. 


4.3  Public  reporting 

Recommendation  No.  11 

We  recommend  that  the  Ministry  of  Environment  improve  the  reliability, 
comparability  and  relevance  of  its  public  reporting  on  Alberta's  success 
and  costs  incurred  in  meeting  climate-change  targets. 


Ministry  reports 
emissions 
intensity  yearly 


Measuring  Up 
reports  yearly 


Background 

Each  year,  the  Ministry  reports  the  emissions  intensity  achieved  and  the  target 
in  the  State  of  the  Environment  Report.  The  emissions  intensity  measure 
calculates  total  emissions  divided  by  the  gross  domestic  product  (GDP) . 

The  government  reports  its  performance  against  goals  annually  in  Measuring 
Up.  Goal  3  is:  "The  high  quality  of  Alberta's  environment  will  be  sustained.  " 
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Statistics  Canada 
data  in  National 
Inventory  Report 


Reduced 

emissions  reported 


The  federal  government  publishes  the  National  Inventory  Report  annually.  This 
publication  includes  data  on  emissions  and  emissions  intensity  for  each 
province.  The  National  Inventory  Report  uses  GDP  figures  from  the  National 
Economic  Accounts  data  produced  by  Statistics  Canada. 

In  June  2008,  the  Ministry  issued  a  news  release  saying  that  the  Specified  Gas 
Emitter  program  resulted  in  companies  reducing  emissions  by 
2.6  million  tonnes  by  operational  changes  and  practices,  including  better  use 
and  re-use  of  energy. 


Public  report 

Measure  and 
report  spending 


Incorrect  target 
reported 


Provincial  and 
national  reporting 
differ 


Both  emissions 
and  GDP  need  to 
be  reported 


Report  on  target 
missing 


2005  emissions 
level  in  target 
needs  to  be 
corrected 


Criteria:  the  standards  we  used  for  our  audits 

The  Ministry  should  report  on  climate-change  results,  evaluate  the  results,  and 
provide  feedback  to  decision  makers.  The  Ministry  should: 

•  publicly  and  promptly  report  progress  against  overall  targets  and  goals. 

•  implement  a  system  to  measure  and  report — accurately  and  completely— 
on  climate-change  spending. 

Our  audit  findings 

The  emissions-intensity  target  for  2010  in  the  State  of  the  Environment  Report 
is  incorrectly  reported  as  a  30%  reduction.  The  target  is  actually  a  22% 
reduction  from  the  1990  emissions  intensity. 

The  Ministry's  emissions-intensity  figures  reported  in  the  State  of  the 
Environment  Report  are  not  the  same  as  those  reported  in  the  National 
Inventory  Report.  The  comparability,  over  time  and  between  jurisdictions,  of 
Alberta's  emissions  intensity  would  improve  if  the  Ministry  consistently  used 
the  GDP  figures  used  in  the  National  Inventory  Report. 

The  Ministry  also  reports  the  1991-2005  emissions  intensity  only  as  part  of  an 
index  relative  to  the  1990  emissions  intensity.  Transparency  in  the  calculation 
of  the  measure  would  improve  if  both  the  emissions  and  the  GDP  were 
reported. 

The  2008  Strategy  does  not  refer  to  the  50%  reduction  in  emissions-intensity 
target.  This  target  was  established  in  both  the  2002  plan  and  the  Climate 
Change  and  Emissions  Management  Act.  Accordingly,  unless  the  Act  is 
amended,  the  Ministry  will  need  to  report  on  this  measure  until  2020. 

Appendix  4  shows  the  emissions  target  for  2050.  The  2008  Strategy  established 
a  long-term  target  of  reducing  emissions  to  14%  less  in  2050  than  the  emissions 
reported  in  2005.  The  Strategy  indicated  that  2005  emissions  were 
205  megatonnes.  But  the  National  Inventory  reports  the  figure  as 
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may  be  misleading 


231  megatonnes.  The  difference  occurs  because  the  Ministry  used  the  forecast 
data  provided  by  its  model  and  the  model  did  not  include  all  provincial 
emissions.  The  Ministry  needs  to  decide  how  to  adjust  for  this  difference  when 
reporting  actual  performance  against  the  14%  reduction  target. 

The  Ministry  has  not  yet  decided  how  to  report  Alberta's  performance  against 
the  2008  Strategy.  To  be  relevant,  the  Ministry  should  report  against  absolute 
emissions  or  emissions-intensity  targets,  not  against  the  200-megatonne 
emissions-reduction  target  (See  Appendix  4).  Much  of  the  focus  on  targets  in 
the  Strategy  is  on  explaining  the  200-megatonne  reduction  between  forecasted 
results  if  the  government  took  no  action  (business  as  usual)  and  the  14% 
reduction  target  level  for  2050.  The  business-as-usual  case  is  only  a  forecast, 
based  on  many  assumptions  such  as  the  price  of  oil.  The  forecast  becomes  out 
of  date  each  time  the  price  of  oil  varies  from  the  assumption.  Therefore, 
performance  reporting  against  this  target  becomes  a  hypothetical  exercise, 
especially  for  the  later  periods.  Performance  reporting  should  compare  actual 
results  to  the  emissions-intensity  target  and  the  absolute  emissions  target. 

The  Ministry  reported  in  a  news  release  that,  as  a  result  of  the  first  period  of 
implementation  of  the  Specified  Gas  Emitter  program,  2.6  million  tonnes  of 
actual  reductions  were  achieved.  The  phrase  "actual  reductions"  implies 
absolute  reductions.  However,  the  reductions  for  the  Specified  Gas  Emitter 
program  were  calculated  on  an  intensity  basis  and  from  the  use  of  offsets.  The 
intensity  basis  adjusts  the  baseline  level  of  emissions  for  increases  or  decreases 
in  production  that  occurred  during  the  compliance  period.  The  guidelines  for 
offsets  for  the  Specified  Gas  Emitter  program  allow  offsets  to  be  created  as 
early  as  2002.  Accordingly,  some  of  the  "actual  reductions"  from  use  of  offsets 
may  have  occurred  prior  to  the  implementation  of  the  Specified  Gas  Emitter 
program. 

There  was  no  analysis  done  to  determine,  considering  the  use  of  offsets, 
whether  absolute  emissions  for  large  final  emitters  actually  decreased  in  the 
compliance  period  from  the  baseline  year  levels.  Since  an  intensity  reduction 
may  be  associated  with  absolute  increases  in  greenhouse  gases,  the  Ministry 
should  have  analyzed  absolute  emissions — to  show  the  accuracy  of  its 
assertion — or  categorized  the  reductions  as  "efficiency  improvements"  rather 
than  "actual  reductions". 
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To  date,  we  have  identified  planned  provincial  spending  for  climate-change 
costing  about  $4.7  billion.  These  actions  are  administered  by  8  Ministries.  The 
Facts  about  climate  change  document  reported  some  of  the  costs  of  programs 
that  had  been  announced  up  to  2007.  There  is  no  overall  reporting  to  allow 
Albertans  to  know  how  much  is  being  spent  to  meet  climate-change  goals. 

While  Measuring  Up  2008  reported,  as  one  of  the  outcomes  for  Goal  3,  that  the 
2008  Strategy  had  been  released,  there  was  no  reporting  on  the  extent  to  which 
Alberta  has  achieved  its  climate-change  targets. 


Assessing 
progress  not 
possible 


Absolute 
greenhouse  gas 
emissions 


Adaptation  to 
Climate  Change 
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equivalent  (C02e) 


Cost  effectiveness 
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Free-rider  effect 


Implications  and  risks 

Without  accurate  and  transparent  public  reporting,  Alberta's  progress  against  its 
climate-change  goals  and  its  overall  investment  in  climate-change  programs 
cannot  be  assessed. 

5.  Glossary 

The  total  greenhouse  gas  emissions  produced,  usually  measured  annually. 
Absolute  emissions  can  be  quantified  for  entities  ranging  from  an  individual 
facility  or  company,  to  a  province  or  country  or  group  of  countries. 

Adjustments  in  ecological,  social,  or  economic  systems  in  response  to  climatic 
stimuli  and  their  effects  or  impacts. 

A  selected  point  in  time  against  which  future  years'  emissions  will  be 
compared.  For  example,  in  the  2008  Strategy,  the  2050  target  level  of  emissions 
is  set  relative  to  the  level  of  emissions  produced  by  the  province  in  2005.  2005 
is  the  baseline  year  for  that  target. 

Carbon  dioxide  equivalent  is  used  to  standardize  measurement  of  greenhouse 
gas  emissions.  Each  greenhouse  gas  has  its  own  global  warming  potential.  For 
example,  methane  is  21  times  more  powerful  than  carbon  dioxide.  One  tonne  of 
methane  is  equivalent  to  21  tonnes  of  carbon  dioxide. 

An  indicator  of  preferred  action  in  terms  of  emissions  reduced  for  money  spent. 

The  ratio  of  greenhouse  gas  emissions  divided  by  Gross  Domestic  Product  or 
some  other  measure  of  output  such  as  production. 

When  the  government  offers  an  incentive  for  the  purchase  of  a  product  or 
service,  people  who  would  have  purchased  the  product  regardless  of  the 
incentive  (free  riders)  will  still  receive  the  incentive.  For  example,  a  person  for 
whom  a  hybrid  car  would  be  their  first  choice  at  full  price,  the  incentive  does 
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Greenhouse  gases 


Gross  domestic 
product 


Megatonne 
Rebound  effect 


not  influence  their  decision,  yet  they  still  receive  it.  The  free-rider  effect  should 
be  accounted  for  in  evaluating  options.  Otherwise,  program  effects  will  be  over- 
estimated. 

The  main  greenhouse  gases  (GHG)  are:  carbon  dioxide  (C02),  methane  (CH4), 
nitrous  oxide  (N20),  hydrofluorocarbons  (HFCs),  perfluorocarbons  (PFCs)  and 
sulfur  hexafluoride  (SF6). 

The  monetary  value  of  all  goods  and  services  produced  within  a  region's  (often 
a  province  or  country)  borders  and  within  a  particular  period  of  time,  such  as  a 
year. 

1  million  metric  tonnes. 

Energy  savings  from  efficiency  improvements  are  sometimes  less  than 
predicted  because  higher  efficiency  can  lead  to  increased  use.  If  evaluations  of 
incentive  programs  don't  consider  the  rebound  effect,  they  will  often 
under  estimate  eventual  energy  use  and  over-estimate  emissions  reductions. 


Other  useful  sources  for  understanding  terminology  are: 

•  2006  Climate  Change  Report  of  the  Commissioner  of  the  Environment  and 
Sustainable  Development. 

•  Response  of  the  National  Round  Table  on  the  Environment  and  Economy  to 
its  Obligations  Under  the  Kyoto  Protocol  Implementation  Act.  
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Appendix  4  Alberta's  Absolute  Emission  Reduction  Target 
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financial  services  to 
Albertans 


Summary 

What  is  treasury  management 

Treasury  management  is  to  plan,  organize  and  control,  within  acceptable 
levels  of  risk,  the  funds  of  an  organization  optimally  and  profitably.  Primary 
functions  include  investment  and  financial  risk  management.  In  the 
accompanying  Background  (section  6  on  page  144),  we  describe  treasury 
management  in  more  detail. 

What  we  examined 

We  assessed  whether  ATB  Financial  (Alberta  Treasury  Branches  or  ATB)  has 
effective  systems  to  manage  treasury  risks1.  ATB  operates  as  a  full  service 
financial  institution  serving  Albertans.  A  financial  institution's  systems  to 
identify,  monitor  and  manage  risk  are  critical  to  its  success.  ATB's  treasury 
department  plays  an  important  role  in  the  successful  management  of  ATB's 
treasury  risks,  including,  for  example,  minimizing  investment  losses. 

Good  systems  involve  examinations  of  whether  their  design  and  operation 
continue  to  be  effective.  We  therefore  assessed  whether  ATB  management  had 
taken  steps  necessary  to  understand  why  it  incurred  a  provision2  for  loss  of 
more  than  $253  million  on  its  investments  in  asset  backed  commercial  paper 
(ABCP)3. 

Why  it  is  important  to  Albertans 

All  Albertans  have  a  stake  in  ATB's  success  as  the  Government  of  Alberta 
owns  ATB  and  the  ATB  board  of  directors  is  accountable  to  the  Minister  of 
Finance  and  Enterprise.  ATB  provides  financial  services  to  over  660,000 
customers  in  244  Alberta  communities  and  has  over  $24  billion  in  assets. 


1  Treasury  risks  include:  liquidity  risk,  interest  rate  risk,  financial  risks  related  to  its  investments,  foreign  exchange  risk,  and 
credit  risk  related  to  securities  and  derivatives. 

2  A  provision  is  an  accounting  term  which  means  an  estimated  expense  that  is  charged  to  net  income  for  a  decrease  in  value 
of  an  asset.  The  actual  cash  loss  of  capital  and  interest  to  ATB  resulting  from  its  investment  in  asset  backed  commercial 
paper  will  not  be  known  for  potentially  nine  years  which  is  the  expected  maturity  of  the  assets  that  ATB  will  receive  once  the 
restructuring  process  is  completed. 

3  We  have  defined  ABCP  in  section  5.1  on  page  118. 
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ATB's  returns  belong  to  all  Albertans.  But  there  is  a  potential  cost.  The 
Government  of  Alberta  provides  a  deposit  guarantee  to  all  ATB  depositors. 
Because  of  the  deposit  guarantee,  Albertans  have  a  significant  stake  in  ATB's 
financial  success  and  ensuring  that  ATB  is  well  managed.  Management  of 
treasury  risks  is,  therefore,  of  real  importance  to  Albertans. 

What  needs  to  be  done 

Management  of  ATB  needs  to  substantially  upgrade  its  treasury  management 
systems.  Specifically,  we  concluded: 

•  Processes,  for  investing  and  for  identifying,  measuring  and  monitoring 
liquidity  and  interest  rate  risk  need  to  change. 

a)  ATB  needs  to  finalize  business  rules  and  operating  procedures  related 
to  its  investment  processes.  ATB's  process  for  establishing  Global 
Financial  Markets'  (GFM)  performance  targets  needs  to  be 
transparent  and  ATB  should  keep  the  evidence  that  supports 
decisions  made.  The  variable  pay  program  guidelines  need  to  be 
completed  or  staff  may  be  rewarded  when  corporate  objectives  are 
not  achieved.  (See  sections  5.1.1,  5.1.2  and  5.1.3). 

b)  ATB's  liquidity  risk  management  systems  do  not  fully  comply  with 
the  Alberta  Finance  and  Enterprise  Liquidity  Guideline  requirements. 
ATB  can  improve  its  liquidity  reporting,  liquidity  contingency  plan 
and  liquidity  risk  identification  processes.  (See  sections  5.2.1,  5.2.2 
and  5.2.3). 

c)  ATB's  processes  for  measuring  interest  rate  risk  need  improvement. 
Specifically,  ATB  needs  to  strengthen  its  controls  over  measuring 
interest  rate  risk;  improve  its  process  for  creating,  applying  and 
validating  assumptions  used  in  its  models;  define  significant  interest 
rate  risk  exposures  and  model  those  exposures;  and  provide  further 
improved  reporting  to  senior  management  and  the  Board.  (See 
sections  5.3.1,  5.3.2,  5.3.3  and  5.3.4). 

d)  Internal  audit  needs  to  regularly  examine  all  types  of  ATB's 
derivative  activities  to  promptly  identify  and  rectify  internal  control 
weaknesses  and  ensure  ATB  fully  complies  with  the  Alberta  Finance 
and  Enterprise  Derivatives  Best  Practices  Guideline  requirements. 
(See  section  5.5.1). 

•  ATB's  treasury  monitoring  systems  need  more  resources  to  make  those 
systems  more  effective.  (See  section  5.4.1). 

•  ATB  spends  significant  time  manually  compiling  treasury  data  rather  than 
analyzing  and  interpreting  it.  ATB  needs  to  upgrade  its  treasury 
information  technology  tools.  (See  section  5.4.2). 

•  ATB  treasury  policies  need  to  be  updated  to  incorporate  industry  good 
practices.  (See  section  5.4.3). 
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•     ATB's  Asset  Liability  Committee  (ALCO)  can  be  improved  through 
greater  executive  involvement  and  more  strategic  focus  on  treasury 
management.  (See  section  5.4.4). 

As  part  of  this  audit,  we  examined  certain  ATB  decisions  made  in  the  past 
related  to  investing  in  ABCP.  We  reasoned  that  examining  that  decision 
making  would  give  us  useful  insight  as  we  took  a  broader  look  at  other 
treasury  systems.  We  have  used  the  headings  below  (the  past,  the  present  and 
the  future)  to  help  readers  understand  how  the  lessons  of  the  past  can  and  must 
be  used. 


Under  the  past,  we  describe  lessons  to  be  learned  by  ATB  and  others  in  the 
public  sector  from  ABCP.  Under  the  present,  we  describe  current  initiatives 
ATB  is  undertaking  to  change  its  treasury  systems.  Under  the  future,  we 
clearly  state  that  improvements  to  treasury  systems  will  only  be  made  through 
successful  implementation  of  change. 


ATB  held 
$1.1  billion  in 
ABCP 


Policy  allowed  up  to 
60%  of  portfolio  to 
be  invested  in 
ABCP 


The  past 

ATB  held  $1.1  billion4  in  third-party  ABCP  affected  by  the  market  disruption 
which  occurred  in  August  2007.  Four  questions  Albertans  should  ask  are: 

1 .  Why  did  ATB  have  that  much  ABCP? 

2.  What  lessons  should  ATB  learn  from  its  investment  in  the  commercial 
paper  asset  class,  which  includes  ABCP. 

3.  What  are  the  implications  of  ATB's  investment  in  ABCP? 

4.  What  are  the  lessons  to  be  learned  by  ATB's  Board  of  Directors? 

Why  did  ATB  have  that  much  ABCP? 

•  ATB's  investment  policy  allowed  ATB  to  invest  up  to  60%  or 
approximately  $1.8  billion  of  its  $3.0  billion  investment  portfolio  in  the 
commercial  paper  asset  class,  which  includes  ABCP. 

•  ABCP  investments  were  considered  investment  grade  by  investors 
because  of  the  Rl-high  or  triple- A  ratings  issued  by  a  credit  rating 
agency. 

•  ATB  received  a  higher  return5  from  investing  in  third-party  ABCP 
compared  to  other  acceptable  investments  under  the  investment  policy. 


4  Included  in  the  $1.1  billion  in  third-party  ABCP  held  by  ATB  in  August  2007  was  $255  million  in  third-party  ABCP 
acquired  from  ATB's  subsidiaries  in  the  weeks  following  the  August  13,  2007  market  disruption. 

5  The  following  puts  the  term  "higher  return"  in  context.  At  March  2007,  ATB  earned  approximately  8  basis  points  (0.08%) 
above  bankers'  acceptances  (BAs)  by  investing  in  third-party  ABCP  and  18  basis  points  above  BAs  by  investing  in 
categories  of  third-party  ABCP  described  as  extendible  and  floating  rate  notes.  The  additional  net  income  earned  by  ATB 
investing  $1.4  billion  (balance  at  April  1,  2007)  in  third-party  ABCP  rather  than  BAs  would  be  approximately  $1.5  million. 
BAs  are  investments  guaranteed  by  a  bank  and  backed  by  the  credit  of  the  bank  and  the  issuer. 
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•  ATB  chose  to  invest  in  third-party  ABCP  to  achieve  increasing  GFM 
performance  targets.  The  GFM  variable  pay  program  was  also  partially 
based  on  achieving  these  targets. 

What  lessons  should  ATB  learn  from  its  investment  losses  in  ABCP? 

•  Understand  the  risks  and  characteristics  of  products  before  investing  in 
them.  ATB  did  not  fully  understand  the  nature  of  the  underlying  assets. 

•  Clearly  outline  its  investment  objectives  and  tolerance  for  risk  in  its 
investment  policy. 

•  Ensure  there  is  diversification  in  investment  holdings. 

•  Do  not  rely  on  a  credit  rating  from  just  one  credit  rating  agency. 

•  Establish  processes  to  monitor  investment  risk  and  develop  early  warning 
signals. 

•  Consider  investment  policies  of  subsidiary  companies  at  the  parent 
company  level. 

What  are  the  implications  of  ATB's  investment  in  ABCP? 

•  ATB  recorded  a  provision  for  losses  in  value  on  its  ABCP  of  $253  million 
which  reduced  net  income  to  $30  million  for  the  year-ended 

March  31,  2008. 

•  ATB's  assets  readily  convertible  to  cash  (liquid  assets)  were  reduced. 
Alberta  Finance  and  Enterprise  increased  ATB's  borrowing  limit  and  ATB 
increased  its  borrowings  from  other  financial  institutions  to  improve 
liquidity. 

•  The  ATB  Regulation  was  changed  to  allow  ATB  to  hold  the  restructured 
notes6.  The  ATB  Act  and  Regulation  contains  a  concentration  limit  that 
restricts  ATB's  investment  or  lending  to  an  individual  party  to  25%  of  its 
equity.  An  exception  has  been  made  for  the  restructured  notes. 

•  ATB  cannot  reinvest  these  assets  in  its  regular  business  activities  for  seven 
to  nine  years. 

•  ATB  senior  management  significantly  focused  on  ABCP  over  the  past  year 
taking  their  time  away  from  ATB's  core  banking  operations. 

What  are  the  lessons  to  be  learned  by  ATB's  Board  of  Directors? 

•  If  ATB's  Board  is  not  getting  the  right  information  from  management,  they 
need  to  demand  it. 

•  ATB's  Board  should  ensure  the  internal  audit  department  is  providing  them 
the  assurance  they  require.  ATB's  internal  audit  department  should  provide 
that  assurance. 


6  The  restructuring  of  the  third-party  ABCP  under  the  Montreal  Accord  will  result  in  note  holders  receiving  new  floating  rate 
notes  with  longer  terms  to  maturity.  At  the  time  of  our  audit,  the  restructuring  was  not  complete. 
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The  present 

ATB  has  identified  the  need  for  improvement  to  its  treasury  systems  and  has 
taken  the  following  actions: 

•  Hired  external  financial  service  industry  expertise  to  assist  with  reviews  of 
its  investment  and  derivative  policies. 

•  Identified  process  changes  in  its  investment  selection  and  monitoring 
systems  that  are  currently  being  developed  and  implemented. 

•  Completed  an  external  review  of  its  treasury  processes  and  started  to 
develop  a  plan  to  implement  recommendations  from  this  review. 

•  Created  a  Chief  Risk  Officer  position  to  facilitate  and  coordinate  risk 
identification,  monitoring  and  management  throughout  the  organization. 


Implementing 
recommendations 
will  strengthen 
systems 


The  future 

ATB  will  substantially  improve  its  treasury  systems  and  reduce  the  risk  of 
another  significant  financial  loss  occurring  by  the  successful  and  timely 
implementation  of  recommendations  from  us,  external  reviewers,  and  those 
identified  internally  by  ATB.  The  external  reviewers'  recommendations  are 
consistent  with  our  recommendations. 
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2.  Objectives  and  scope 

Our  objective  was  to  determine  if  ATB's  systems  within  treasury  to  manage 
financial  risks  within  the  investment  portfolio,  interest  rate  risk,  foreign 
exchange  risk,  liquidity  risk,  and  credit  risk  related  to  ATB's 
investments/derivatives  are  adequately  designed  and  operating  effectively. 

For  this  audit,  our  focus  was  on  the  systems  that  existed  prior  to  August  2007 
and  on  changes  ATB  made  to  its  policies  and  processes  since  August  2007  up  to 
July  2008. 

We  recognize  that  the  Alberta  Department  of  Finance  and  Enterprise  plays  an 
important  role  in  the  oversight  of  ATB.  This  audit  did  not  examine  those 
oversight  processes  and  systems.  We  plan  to  conduct  an  audit,  in  the  future,  of 
Alberta  Finance  and  Enterprise's  oversight  systems  for  ATB. 

Our  audit  did  not  include  a  review  of  controls  related  to  ATB's  settlement 
processes  or  client  derivative  program. 

Our  procedures  included  reviewing  ATB  documentation,  discussions  with  staff, 
and  walkthroughs  of  treasury  processes.  We  were  assisted  on  this  audit  by 


7  In  August  2007,  the  Canadian  third-party  asset  backed  commercial  paper  market  in  which  ATB  participated  came  to  a 
standstill. 
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external  advisors  with  knowledge  of  treasury  and  financial  service  industry 
good  practices.  We  assessed  the  design  and  implementation  of  key  controls  as 
well  as  tested  the  operating  effectiveness  of  certain  key  controls  within  treasury. 

3.  Criteria  and  conclusions 

ATB  treasury  systems  exist  but  must  be  substantially  improved,  as  our 
recommendations  explain. 

We  used  the  following  nine  audit  criteria  to  draw  our  conclusions  on  ATB's 
treasury  systems: 

•  Management  should  have: 

-  treasury  objectives. 

-  appropriate  treasury  policies. 

-  adequate  treasury  internal  control  systems. 

-  independent  reviews  and  assessments  of  those  systems. 

-  treasury  targets  and  indicators. 

-  reported  on  the  achievement  of  treasury  objectives. 

•  The  Board  of  Directors  should  have: 

-  proper  experience  and  competencies  to  provide  oversight  of  treasury 
activities. 

-  outlined  the  treasury  reporting  it  requires  from  management. 

-  approved  the  treasury  policies  and  new  objectives  and  strategies. 

Our  recommendations  deal  only  with  unmet  criteria.  The  key  to  improving 
ATB's  treasury  systems  will  be  the  successful  and  timely  implementation  of  our 
recommendations  and  the  recommendations  from  the  external  reviewers. 


How  this  report  is 
organized 


We  have  reviewed  the  audit  criteria  in  five  areas  at  ATB:  investments,  liquidity, 
interest  rate  risk,  corporate  derivatives  and  foreign  exchange.  Our 
recommendations  and  observations  in  this  report  are  organized  under  these  five 
areas  (if  recommendations  resulted  from  our  work) .  We  also  have  four  other 
recommendations —  included  under  the  Global  recommendations  that  cross 
different  treasury  functions  in  Section  5.  Our  concerns  recurred  in  each  of  the 
five  areas  examined  related  to  treasury  policies,  treasury  information  systems, 
the  role  of  the  middle  office,  and  the  role  of  the  Asset  Liability  Committee 
(ALCO). 
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4.  Prioritization  of  recommendations 

Prioritization  of  All  of  these  recommendations  were  made  to  ATB  management.  We  have 

recommendations  categorized  them  based  on  our  opinion  of  the  timing  for  implementation. 


Implement  as 
soon  as  possible 

Recommendations  for  ATB  to: 

•  develop  and  document  the  business  rules  and  operating  procedures  required  to 
implement  the  improved  investment  policy  being  developed. 

•  improve  its  process  for  establishing  Global  Financial  Market's  performance  targets  by 
discussing  the  targets  with  senior  Asset  Liability  Committee  (ALCO)  and 
maintaining  evidence  that  supports  decisions  made. 

•  implement  the  updated  investment  and  derivative  policies  for  changes  arising  from  its 
recent  review  of  those  policies.  We  also  recommend  that  ATB  undertake  a  review  of 
the  financial  risk  management  policy. 

•  complete  its  business  rules  on  how  variable  pay  is  calculated  for  Global  Financial 
Markets'  staff  by  clarifying  how  to  deal  with  revenue  not  collected  and  investment 
losses. 

.     review  the  role  of  the  Asset  Liability  Committee  (ALCO)  and  consider  restructuring  it 
into  two  tiers.   .   ' 

Implement  by 
March  31,  2009 

Recommendations  for  ATB  to: 

•  agree  internally  on  a  consistent  measure  of  liquidity  and  report  that  measurement  to 
the  Board  and  to  the  Department  of  Finance  and  Enterprise  to  provide  regular  and  fair 
reporting. 

•  further  expand  its  use  of  liquidity  simulations  as  a  forward  looking  liquidity  risk 
measurement  tool.  ALCO  and  the  Board  oversight  committee  should  consider  whether 
the  results  of  liquidity  simulations  indicate  a  need  to  modify  its  business  plan. 

.     provide  better-more  qualitative  and  quantitative-reporting  to  senior  management  and 
the  Board  on  its  interest  rate  risk  management. 

.     have  internal  audit  regularly  examine  all  types  of  ATB's  derivative  activities  to 
promptly  identify  and  rectify  internal  control  weaknesses  and  fully  comply  with  the 
Alberta  Finance  and  Enterprise  Derivatives  Best  Practices  Guideline. 

Implement  by 
September  30, 
2009 

Recommendations  for  ATB  to: 

•  evaluate  its  current  treasury  information  systems  against  its  business  requirements  and 
develop  and  implement  a  treasury  information  technology  plan  to  upgrade  its  tools. 

•  develop  a  comprehensive  liquidity  contingency  plan  to  be  better  prepared  for  a 
liquidity  crisis  and  to  fully  comply  with  Alberta  Finance  and  Enterprise's  Liquidity 
Guideline.  The  plan  should  be  updated  and  approved  regularly. 

•  define  its  significant  interest  rate  risk  exposures  and  model  those  significant  exposures 
to  assess  the  effects  on  future  net  income. 

•  improve  processes  for  creating,  applying  and  validating  assumptions  used  in  its 
interest  rate  risk  models. 

•  put  in  place  controls  necessary  to  ensure  consistent  measurement  of  interest  rate  risk. 

•  expand  the  role  of  its  middle  office  to  include  responsibilities  for  monitoring  interest 
rate  risk.  We  also  recommend  that  management  ensure  the  middle  office  has  the 
necessary  resources  to  monitor  foreign  exchange  activities  and  fulfill  its  other 
responsibilities   

8  See  section  5.4.4  related  to  the  establishment  of  senior  ALCO 
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Investment 
portfolio  is 
$3  billion 


5.  Recommendations 

5.1  Investments 
Background 

ATB's  investment  portfolio 

ATB's  investment  portfolio  was  approximately  $3  billion  at  March  31,  2008 
($2.7  billion  at  March  31,  2007).  ATB's  investments  are  used  for  short-term 
cash  management  purposes.  Customer  money  market  (large  dollar)  deposits 
received  by  ATB  from  its  customers  are  the  source  of  the  funds  invested  by 
ATB. 


Risk  philosophy 


Acceptable  investments  under  ATB's  investment  policy  are  bonds,  bankers' 
acceptances,  T-bills,  bearer  deposit  notes,  term  deposits,  commercial  paper, 
floating  rate  notes,  extendible  notes,  short  term  notes,  and  repurchase 
agreements.  ATB  does  not  invest  in  equity  securities. 

The  October  2006  investment  policy  described  ATB's  risk  philosophy  as 
realizing  the  highest  yield  available  while  observing  the  conservative  credit  risk 
limits  and  guidelines  approved  by  the  Board.  ATB  measures  investment  returns 
in  dollar  terms  and  also  by  the  interest  rate  spread  it  earns.  The  interest  rate 
spread  is  the  difference  between  what  ATB  pays  on  money  market  (larger 
dollar)  deposits  compared  to  the  returns  generated  re-investing  those  funds  in 
the  market. 


Up  to  60%  of 
portfolio  could  be 
invested  in  ABCP 


By  March  31,  2007,  ATB  held  $1.2  billion  (47%)  of  its  investment  portfolio  in 
third-party  ABCP  (See  Figure  1).  The  investment  policy  in  place  at  the  time 
allowed  ATB  to  invest  up  to  a  limit  of  60%  (See  Figure  2  for  limits)  or 
approximately  $1.8  billion  of  the  investment  portfolio  in  the  commercial  paper 
asset  class,  which  includes  ABCP.  ATB  typically  held  $1.6  to  $1.8  billion  in 
ABCP  throughout  2007.  This  was  split  between  bank-  and  third-party  (non- 
bank)  sponsored  ABCP. 


ATB's  $2.7  billion  investment  holdings  on 
March  31,  2007 


0%  0% 


■  Third-party  (non-bank)  ABCP 
(47%) 

■  Interest  bearing  deposits  with 
financial  institutions  (38%) 

i  Bank  sponsored  ABCP  (11%) 

I  Notes  issued  or  guaranteed  by 
the  Tederal  Government  (4%) 

I  Other  (0%) 

I  Corporate  paper  (0%) 


-igure  1 
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Figure  2 


ABCP  Concentration  Limit 


ABC  P  Concentration  ... 


Z 


Z 


Third-party  ABCP 
market  disruption 
occurred  in 
August  2007 


August  2007  ABCP  market  disruption 

The  Canadian  market  for  third-party  ABCP  came  to  a  standstill  in  August  2007. 
Along  with  many  other  investors  in  ABCP,  ATB  was  unable  to  recover  its 
investment  at  the  original  maturity  dates.  By  the  end  of  August  2007,  ATB  held 
over  $1.1  billion  dollars  in  third-party  (or  non-bank)  ABCP  affected  by  the 
Montreal  Accord.  Of  the  $1.1  billion,  ATB  held  $860  million  of  third-party 
ABCP  affected  by  the  Montreal  Accord  and  acquired  an  additional  $255  million 
from  its  subsidiary  companies.  For  the  year  ended  March  31,  2008,  ATB 
incurred  a  provision  for  loss  of  $253  million  on  these  investments.  The  ultimate 
cash  loss  of  capital  and  interest  to  ATB  will  not  be  known  for  potentially  nine 
years. 


Plan  to  restructure 
market  was 
developed 


Large  institutional  investors,  together  with  banks,  asset  providers  and  third- 
party  sponsors,  agreed  to  work  together  to  restructure  the  frozen  ABCP,  which 
resulted  in  the  creation  of  the  Montreal  Accord.  A  standstill  period  ensued  in 
which  participating  investors  would  not  demand  repayment  of  their  ABCP 
investments  as  they  matured  and  the  commercial  paper  issuers  would  not  make 
liquidity  calls  to  their  liquidity  providers.  Issuers  would  also  not  demand 
additional  collateral.  These  participants  agreed  in  principle  to  convert  the  frozen 
ABCP  into  longer  term  floating-rate  notes9  (FRNs).  The  Pan-Canadian 
Investors  Committee,  of  which  ATB  is  a  member,  was  established  to  oversee 
the  orderly  restructuring  of  ABCP  during  the  standstill  period. 


m 
m 


9  Floating  rate  notes  or  FRNs  are  medium  or  long-term  debt  instruments  with  variable  interest  rate,  adjusted  periodically  and 
tied  to  a  money  market  index  such  as  major  banks  Bankers'  Acceptances. 
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ABCP  is  short- 
term  paper  backed 
by  assets 


What  is  asset  backed  commercial  paper? 

ABCP  is  a  short-term  investment,  usually  maturing  in  less  than  a  year,  but  often 
in  as  little  as  a  month.  ABCP  is  backed  by  a  variety  of  assets,  such  as  mortgage 
loans,  car  loans,  credit  card  balances,  and  other  interest-bearing  assets  and/or  by 
synthetic  assets  such  as  collateralized  debt  obligations10  or  credit  default 
swaps11  The  investor  buys  the  paper  for  less  than  face  value  and  holds  the  paper 
until  it  matures,  at  which  point  the  investor  receives  the  face  value  of  the  paper. 
The  difference  between  the  purchase  price  and  the  face  value  of  the  paper  is 
interest  income  to  the  investor. 


ABCP  was 
popular  because  of 
higher  yield 


ABCP  was  popular  with  certain  investors  because  it  generally  offered  higher 
yields12  than  other  short-term  investments.  ABCP  is  different  from  other  types 
of  commercial  paper  in  that  it  is  issued  by  trusts-either  structured  by  banks 
(bank-sponsored  ABCP)  or  by  independent  brokers  (third-party  sponsored  or 
non-bank  sponsored  ABCP) .  About  one-third  of  the  Canadian  market  in  ABCP 
was  established  and  managed  by  non-banks  or  third-parties.  Banks  and  other 
financial  institutions  would  then  sell  the  ABCP  to  investors. 


ABCP  had  high 
credit  ratings 


A  high  credit  rating,  mostly  triple- A  or  Rl-high,  was  attached  to  these 
investments. 


5.1.1  Business  rules  and  operating  procedures 
®=^s&         Recommendation  No.  12 

We  recommend  that  Alberta  Treasury  Branches  develop  and  document  the 
business  rules  and  operating  procedures  required  to  implement  the 
improved  investment  policy  being  developed. 

Criteria:  the  standard  we  used  for  our  audit 

Management  should  develop  a  process  to  ensure  investments  are  managed 
through  systems  of  internal  controls,  including  processes  to  identify,  measure, 
and  manage  investment  risks. 


10  A  collateralized  debt  obligation  is  an  investment  collateralized  or  referenced  to  a  portfolio  of  debt. 

11  Credit  default  swaps  are  derivative  contracts  in  which  one  party  agrees  to  make  variable  payments  to  the  other  party  if  a 
specified  credit  event  occurs  in  respect  of  a  specific  entity  or  security  in  exchange  for  a  stream  of  prescribed  fixed  payment. 
1_  At  March  2007,  Canada's  third-party  ABCP  offered  returns  of  8  basis  points  greater  than  Bankers'  Acceptance  notes. 
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Our  audit  findings 

We  discuss  below  the  actions  ATB  took  leading  up  the  ABCP  market  disruption 
in  August  2007  and  process  changes  ATB  is  now  making.  We  have  organized 
this  section  under  the  following  headings: 

•  Business  rules  and  operating  procedures. 

•  Identification  of  US  sub-prime  mortgages  as  a  financial  risk. 

•  Process  for  purchasing  investments. 

•  Monitoring  of  investments  on  the  approved  investment  listing. 


Rules  and 
procedures  not  yet 
fully  implemented 


Business  rules  and  operating  procedures — ATB  has  not  yet  fully 
implemented  all  process  changes  discussed  below  and  business  rules  and 
operating  procedures  have  not  yet  been  fully  developed.  ATB  is  still  developing 
processes  for  analyzing  and  identifying  financial  risks  in  financial  institutions 
that  issue  the  majority  of  the  investment  products  that  ATB  invests  in. 


We  separately  discuss  our  concerns  with  the  investment  policy  in  place  at  the 
time  the  ABCP  market  disruption  occurred  in  section  5.4.3  (See  page  139). 

Identification  of  US  sub-prime  mortgages  as  a  financial  risk — Our  audit 
findings  on  ATB's  investment  risk  management  system  highlight  an  absence  of 
well-defined  processes  and  accountabilities  to  deal  with  identified  risks.  In  the 
absence  of  well-defined  processes  and  accountabilities,  this  system  operated 
between  March  2007  and  August  2007  on  the  judgment,  at  the  time,  of  the 
individuals  involved. 


Procedures  not 
well  defined 


The  Board  was  not 
involved  in 
decisions 

Credit  department 
previously  not 
involved 


Review  did  not 
consider  other 
risks 


Our  audit  findings  are  summarized  as  follows: 

1.  ATB  did  not  have  strong  processes  in  place  to  respond  to  identified  risks 
and  accountabilities  were  not  well  defined.  For  example,  a  small  group  of 
individuals  in  the  credit  department  made  decisions  on  the  credit 
worthiness  of  ATB's  ABCP,  in  consultation  with  GFM. 

2.  The  senior  management  committees  (Asset  Liability  Committee  (ALCO) 
and  the  Credit  Committee)  and  board  (Credit  and  Financial  Risk 
Committee)  oversight  committee  were  not  involved  in  these  decisions. 

3.  ATB's  existing  investment  policy  did  not  require  the  credit  department  to 
analyze  the  financial  strength  of  ATB's  investments.  In  fact,  the  credit 
department's  analysis  of  ABCP  for  US  sub-prime  mortgages  in 

March  2007  was  the  first  time  the  credit  department  was  involved  with 
ATB's  investment  portfolio. 

4.  ATB's  review  of  its  ABCP  investments  in  early  2007  only  focused  on 
identifying  US  sub-prime  mortgage  exposure.  ATB  did  not  consider  other 
risks  during  the  review. 
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GFM  identified 
US  sub-prime 
mortgages  as  a 
risk 

Credit  department 
conducted  a 
review  of  1 1 
ABCP  holdings 


Focus  of  review 
was  on  identifying 
US  sub-prime 
mortgage 
exposure 


Detailed  description  of  activities  between  March  2007  and  August  2007 
GFM  started  to  ask  questions  about  exposure  to  US  sub-prime  mortgages  in  its 
ABCP  investments  in  March  2007.  Reports  from  the  United  States  regarding 
US  sub-prime  mortgages  appeared  in  the  press  at  that  time. 

GFM  and  the  former  ATB  Treasurer13  asked  ATB's  credit  department  to 
analyze  ATB's  ABCP  investments  to  identify  US  sub-prime  mortgage  exposure 
in  1 1  specific  trusts  in  March  2007.  The  1 1  ABCP  trusts  were  placed  on  the  do 
not  buy  list  until  any  potential  US  sub-prime  mortgage  exposure  was 
investigated.  ATB  decided  to  let  existing  holdings  of  these  1 1  trusts  mature  and 
not  to  sell  any  of  its  existing  holdings. 

The  credit  department  review  focused  on  identifying  US  sub-prime  mortgage 
exposure  in  the  ABCP.  This  included  a  review  of  credit  rating  agency  reports 
and  discussions  with  ABCP  sponsors  or  issuer  trustees.  If  a  trust  had  US  sub- 
prime  exposure,  a  decision  was  required  on  whether  to  allow  further  purchases 
of  the  trust. 


Most  of  the 
exposure  was 
removed  except 
two  cases 


Trusts  without  US 
sub-prime 
mortgage 
exposure  re- 
purchased 


In  most  cases,  trusts  with  US  sub-prime  mortgage  exposure  were  removed  from 
the  approved  investment  listing.  In  two  cases,  ATB  identified  US  sub-prime 
mortgage  exposure  existed  but  believed  the  trust's  credit  enhancement 
provisions14  would  mitigate  the  US  sub-prime  mortgage  exposure.  The 
combined  investment  in  those  two  trusts  at  August  2007  was  $135  million. 

The  credit  department  recommended  the  re-introduction  of  most  of  the  1 1  trusts 
to  the  approved  investment  list  between  April  and  June  2007  because  they  did 
not  contain  US  sub-prime  mortgage  exposure.  ATB  began  to  re-purchase  these 
trusts  shortly  after  the  recommendation  to  add  them  back  to  the  list. 


ATB  divested 
itself  of 
$300  million  of 
ABCP 


ATB  ultimately  divested  itself  of  approximately  $300  million  of  ABCP  because 
the  credit  department  review  either  identified  US  sub-prime  exposure  or  was 
unable  to  confirm  that  the  trust  had  no  US  sub-prime  exposure.  This 
$300  million  was  re-invested  in  bank-sponsored  ABCP.  The  review  resulted  in 
ATB  holding  considerably  less  ineligible  assets15  compared  to  other  large 
institutional  investors  (See  Figure  3). 


13  See  Background  section  6.5  of  the  report  (page  147) 

14  Credit  enhancement  provisions  are  support  designed  to  cover  losses  incurred  by  a  particular  pool  of  assets  that,  for 
example,  could  come  in  the  form  of  a  guarantee  by  a  financial  institution. 

Ineligible  assets  are  those  assets  supporting  one  or  more  of  the  series  of  affected  trusts  being  restructured  under  the 
Montreal  Accord  which  have  assets  deemed  ineligible  for  pooling  in  any  of  the  Master  Asset  Vehicles  by  reason  of  their 
exposure  to  US  sub-prime  mortgages  or  other  US  home  equity  loans. 
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ATB  did  not  GFM  <jiu  not  invest  in  smaller  third-party  ABCP  programs  such  as  Selkirk, 

Td^d1"  Sma  er  Ironstone,  and  Devonshire  because  its  investment  in  those  programs  would  have 

ABCP  programs  r  ° 

exceeded  10%  of  the  total  program.  This  strategy  also  reduced  ATB's  provision 
for  losses  as  these  three  trusts  had  lower  indicative  weighted  average  asset 
values16  than  other  trusts  being  restructured  under  the  Montreal  Accord. 


No  unauthorized 
purchases  were 
identified 


Increased  credit 
spreads  caused 
concerns 


Percentage  of  Ineligible  Assets  in  Total 

ABCP 


ATB 


Desjardins        National  Bank 


Figure  3 

We  examined  investment  transactions  between  March  2007  and 
September  2007  to  determine  if  investments  on  the  do  not  buy  listing  were 
purchased.  We  did  not  find  any  unauthorized  purchases  or  instances  where 
investment  policy  limits  were  exceeded.  We  have  concluded  that  ATB's 
procedures  to  ensure  only  authorized  investments  were  purchased  and  that 
investment  policy  limits  were  not  exceeded  were  effective  during  that  period. 

Two  additional  significant  events  of  significance  occurred  leading  up  to  the 
August  13,  2007  market  disruption: 

1.    On  August  1,  2007,  GFM  called  a  meeting  with  the  former  Treasurer, 
credit  department  staff,  and  middle  office  staff  to  discuss  their  concerns 
about  increased  credit  spreads17  for  third-party  ABCP.  Credit  department 
and  middle  office  staff  did  not  attend  the  meeting.  At  the  meeting,  the 
former  Treasurer  advised  GFM  to  continue  purchasing  ABCP. 


16  Indicative  weighted  average  asset  values  were  determined  by  JP  Morgan  and  published  in  the  March  20,  2008  Information 
for  Noteholders  related  to  the  Proposed  Restructuring  of  Canadian  Third-Party  Asset-Backed  Commercial  Paper  prepared  by 
the  Pan-Canadian  Investors  Committee. 

17  Credit  spreads  are  the  difference  in  yield  between  different  investments  due  to  different  credit  quality.  The  credit  spread 
reflects  the  additional  net  yield  an  investor  can  earn  from  an  investment  with  more  credit  risk  relative  to  one  with  less  credit 
risk.  The  credit  spread  of  a  particular  investment  is  often  quoted  in  relation  to  the  yield  on  a  credit  risk-free  benchmark 
investment  or  reference  rate.  Increasing  credit  spreads  signal  that  investors  in  the  market  perceive  an  increase  in  credit  risk. 
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The  question  was 
asked  "Do  we  stop 
our  investment  in 
ABCP?" 


2.    On  August  9,  2007,  GFM  discussed  stopping  all  investment  in  third-party 
ABCP  with  the  former  Treasurer.  The  former  Treasurer  advised  GFM  to 
continue  investing  in  ABCP.  The  market  disruption  occurred  on 
August  13,  2007.  In  hindsight,  it  was  now  too  late  to  do  anything. 

The  former  Treasurer  told  us  that  he  believed  the  credit  spreads  were  increasing 
because  the  market  was  reacting  to  risks  related  to  US  sub-prime  mortgages.  He 
also  believed  ATB  credit  department's  review  earlier  in  2007  had  already  dealt 
with  this  risk. 


Process  relied  on 
credit  rating 


Processes  have 
been  changed 


Process  for  purchasing  investments — ATB  maintains  a  listing  of  approved 
investments  that  comply  with  the  investment  policy.  Before  August  2007,  ATB 
added  investments  to  the  list  based  solely  on  the  rating  from  a  single  credit 
rating  agency  if  the  investment  met  the  minimum  credit  rating  requirements  of 
ATB's  investment  policy.  ATB  added  investments  to  the  approved  listing 
without  completing  its  own  investment  analysis  or  obtaining  a  thorough 
understanding  of  the  underlying  assets  of  the  investments. 

The  process  for  adding  an  investment  to  the  approved  listing  has  been  changed 
and  now  requires: 

1 .  An  outside  credit  rating  from  two  credit  rating  agencies. 

2.  A  thorough  investment  analysis  of  the  financial  strength  of  the  investment 
opportunity  by  an  investment  analyst  through  the  completion  of  an 
investment  application. 

3.  Review  and  adjudication  of  the  investment  application  by  the  credit 
department. 

4.  Final  approval  by  the  management  Credit  Committee. 


Risk  monitoring 
processes  have 
changed 


ATB  imposed  a  deadline  of  August  31,  2008  to  have  all  its  current  and  all  new 
investments  undergo  this  new  investment  application  and  review  process.  Any 
investment  not  reviewed  by  this  date  will  be  removed  from  the  approved  listing. 

Monitoring  of  investments  on  the  approved  investment  listing — before 
July  2008,  ATB  monitored  credit  rating  and  credit  spread  changes  of  its 
investments  on  an  informal  basis.  No  individual  at  ATB  had  responsibility  for 
this  important  role. 

Starting  in  July  2008,  ATB  hired  an  employee  to  monitor  credit  rating  changes, 
credit  spreads  and  market  prices  of  its  investments  on  a  daily  basis.  ATB  has 
also  developed  early  warning  signals  (E WS)  and  defined  roles  and 
responsibilities  of  staff  when  an  investment's  credit  rating  deteriorates.  The 
EWS  are  based  on  four  different  performance  indicators.  Each  indicator  is 
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defined  (i.e.  what  has  to  happen  to  qualify)  and  what  particular  course  of  action 
ATB  must  take  when  certain  events  occur. 

Implications  and  risks  if  recommendation  not  implemented 

There  is  a  risk  that  investment  processes  will  not  be  consistently  followed  if 
business  rules  and  operating  procedures  are  not  well  defined. 

5.1 .2  Performance  targets 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  improve  its  process  for 
establishing  Global  Financial  Market's  performance  targets  by  discussing 
the  targets  with  the  senior  Asset  Liability  Committee  (ALCO)  and 
maintaining  evidence  that  supports  decisions  made. 

Criteria:  the  standards  we  used  for  our  audit 

•  Management  should  develop  a  process  to  ensure  investments  are  managed 
through  systems  of  internal  controls,  including  processes  to  identify, 
measure,  and  manage  investment  risks. 

•  The  Board  should  outline  the  content  and  frequency  of  reporting  to  the 
Board  by  management. 

Our  audit  findings 

We  have  organized  our  audit  findings  in  this  section  under  three  main  headings: 
Review  and  challenge  of  performance  targets;  Evidence  to  support  decisions; 
and  Continually  increasing  performance  targets.  This  recommendation  relates  to 
the  performance  target  setting  process. 

Review  and  challenge  of  performance  targets 

The  decision  making  process  on  GFM  performance  targets  did  not  allow  for 
sufficient  review  and  challenge  of  the  performance  targets  by  ALCO  or  the 
Board.  The  former  CEO18  made  the  final  decision  on  the  GFM  performance 
targets.  We  found: 

•  The  former  CEO,  former  Treasurer,  and  GFM  met  in  late  March  2007  to 
finalize  the  GFM  performance  targets  for  2007-08  which  included  interest 
spread  targets19. 

•  GFM  and  the  former  Treasurer  proposed  an  interest  rate  spread 
performance  target  consistent  with  the  previous  year  of  14  basis  points  or 
$3,780,000  in  annual  net  income. 


18  See  Background  section  6.5  of  the  report  (page  147) 

19  The  interest  spread  target  of  14  basis  points  or  $3,780,000  in  annual  net  income  is  the  difference  in  interest  rates  that  ATB 
pays  to  its  customers  on  money  market  deposits  or  large  dollar  deposits  that  it  collects  compared  to  the  rate  of  return  it 
generates  on  re-investing  that  money  in  the  financial  markets. 


Decisions  were 
not  reviewed  and 
challenged 
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•     At  the  meeting,  the  former  CEO  increased  this  performance  target  by 
2  basis  points  or  $540,000  in  additional  annual  net  income. 

The  decision  by  the  former  CEO  to  increase  performance  targets  and  the 
decision  by  the  former  Treasurer  in  March  2007  to  stop  investing  in  certain 
ABCP  were  at  odds.  We  were  told  by  the  former  Treasurer  that  he  made  his 
decision  knowing  that  it  would  negatively  impact  GFM's  ability  to  meet  its 
performance  target. 


Risks  were  not 
evaluated 


Evidence  to  support  decisions 

The  decision  to  raise  the  interest  rate  spread  performance  target  was  made  by 
the  former  CEO  despite  warnings  about  increased  risk.  The  reasons  to  support 
increasing  this  performance  target  from  the  original  proposal  and  how  this 
target  would  be  achieved  within  ATB's  risk  appetite  were  not  transparent.  We 
found: 

•  GFM's  proposal  described  the  reasons  for  maintaining  the  performance 
target  at  the  same  level  as  the  previous  year.  Those  reasons  included: 

a)  ATB's  ability  to  increase  interest  spread  would  require  increasing  the 
risk  profile  beyond  acceptable  levels  or  reducing  interest  rates  paid  on 
deposits.  The  latter  would  drastically  reduce  deposits  resulting  in  cash 
outflows  and  liquidity  risks. 

b)  Anticipated  downward  pressure  on  interest  spreads  resulting  from 
potential  decreases  in  ABCP  holdings  due  to  rating-related  issues  as 
well  as  potential  risks  associated  with  US  based  sub-prime  lending. 

•  The  proposal  presented  to  the  former  CEO  also  quantified  the  impact  of 
replacing  the  highest  yielding  ABCP  (third  party  ABCP)  with  other 
commercial  paper.  The  lost  yield  would  have  been  approximately  2  basis 
points  or  $540,000  in  annual  net  income. 


Targets  had  been 

continually 

increased 


Continually  increasing  performance  targets 

Increasing  performance  targets  contributed  to  ATB's  exposure  to  third-party 
ABCP.  These  investments  were  the  highest  yielding  commercial  paper 
available.  ATB's  interest  spread  performance  targets  were  increased  from  2006 
to  2008,  as  follows: 

•  11  basis  points  for  2006 

•  14  basis  points  for  2007 

•  16  basis  points  for  2008 

We  were  told  by  the  former  Treasurer  and  former  CEO  that  performance  targets 
had  been  continually  increased  because  GFM  had  continually  exceeded  the 
targets. 
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Implications  and  risks  if  recommendation  not  implemented 

Performance  targets  may  be  increased  above  and  beyond  ATB's  current 
acceptable  risk  tolerances  if  performance  targets  are  not  established  with  due 
consideration  for  the  current  investment  risk  environment  and  if  decisions  are 
not  well  documented  and  transparent,  and  challenged. 

5.1.3  Variable  pay  program 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  complete  its  business  rules 
on  how  variable  pay  is  calculated  for  Global  Financial  Markets'  staff  by 
clarifying  how  to  deal  with: 

•  revenue  not  collected 

•  investment  losses 

Criteria:  the  standards  we  used  for  our  audit 

Management  should  develop  a  process  to  ensure  investments  are  managed 
through  systems  of  internal  controls,  including  processes  to  identify,  measure, 
and  manage  investment  risks. 


Variable  pay 
program  is  based 
on  achieving 
targets 


Our  audit  findings 

Variable  pay  for  Global  Financial  Markets  (GFM) 
GFM's  variable  pay  program  is  based  on  the  achievement  of  performance 
targets.  The  interest  rate  spread  performance  target  (discussed  in  section  5.1.2) 
is  part  of  the  variable  pay  program.  The  total  variable  pay  for  GFM  staff  for 
2007-08  was  $202,000  for  eleven  staff  and  ranged  anywhere  from  7%  to  34% 
of  an  individual  staff  member's  salary.  While  the  amount  is  not  significant  to 
ATB's  financial  results-it  is  significant  to  individuals  within  GFM  and 
motivates  decision  makers  to  behave  in  ways  to  exceed  targets. 


Rules  do  not  deal 
with  uncollected 
revenues  and 
investment  losses 


2008  targets  were 
exceeded  and 
maximum  payout 
awarded 


GFM's  variable  pay  business  rules  do  not  deal  with  uncollected  revenue  or 
investment  losses.  ATB  included  returns  on  certain  frozen  ABCP  in  its 
calculation  of  interest  spread  for  2008.  However,  the  interest  to  note  holders  has 
yet  to  be  paid  and  it  is  not  certain  all  interest  will  be  collected. 

In  2008,  the  spread  target  was  exceeded  and  the  maximum  variable  pay  was 
earned  by  GFM  staff  even  though  ATB  recorded  a  provision  for  loss  on  ABCP 
of  $253  million.  GFM's  current  performance  targets  do  not  take  into  account 
losses  in  value  of  investments.  This  is  not  consistent  with  ATB's  primary 
investment  objective  of  "safety  of  investment  principal"  which  was  added  to  the 
investment  policy  as  part  of  the  November  2007  policy  update. 
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A  portion  of  all 
variable  pay  is 
based  on  corporate 
net  income 


Provision  for 
ABCP  losses  had 
minimal  effect  on 
variable  pay 


Board  judgment 


$26.1  million  in 
bonuses  earned 


Implications  and  risks  if  recommendation  not  implemented 

If  there  are  no  consequences  for  not  achieving  objectives,  then  individuals  in 
GFM  are  rewarded  for  not  meeting  corporate  objectives. 

The  effect  of  the  provision  for  losses  on  variable  pay  for  ATB  staff 

We  provide  the  following  facts  to  answer  the  question — Did  ABCP  losses  affect 
the  pay  of  ATB  staff  outside  of  GFM? 

A  portion  of  all  ATB  employees'  variable  pay  is  based  on  corporate  results.  For 
that  component  of  the  variable  pay  program,  corporate  results  are  based  on 
balance  sheet  growth  and  actual  net  income  exceeding  targeted  net  income.  The 
net  income  for  2007-08  was  $30  million  (2007  $274.3  million)  compared  to  the 
targeted  net  income  of  $262  million.  ATB  has  a  policy  that  states  if  net  income 
was  below  50%  of  the  target  then  no  variable  pay  would  be  paid. 

Notwithstanding  the  policy,  on  May  15,  2008,  the  ATB  Board  of  Directors 
decided  to  minimize  the  effect  on  variable  pay  of  the  provision  for  losses  on 
ABCP.  It  approved  a  variable  pay  decision  for  2007-08  that  resulted  in  the 
$253  million  provision  for  losses  on  ABCP  and  $2  million  in  ABCP 
restructuring  costs  having: 

•  no  impact  on  non-executive  ATB  staff  as  corporate  net  income  for  non- 
executives  was  determined  to  be  $287  million20  compared  to  targeted  net 
income  of  $262  million  (109.6%). 

•  a  small  impact  on  executives  as  the  provision  was  capped  at  10%  of 
budgeted  net  income  or  $26.1  million  resulting  in  net  income  for  executives 
being  $261  million21  compared  to  targeted  net  income  of  $262  million 
(99.6%). 

The  minutes  of  the  board  meeting  show  that  the  Board,  after  deliberation, 
determined  that  the  variable  pay  policy  should  be  overridden  for  the  year  ended 
March  31,  2008.  The  Board's  judgment  was  based  on  its  assessment  of  the 
consequences  to  staff  morale  and  retention  from  applying  the  policy  to 
corporate  results  significantly  impacted  by  the  large  provision  for  losses. 

Total  current  and  deferred  variable  pay  earned  by  ATB  staff  in  2007-08  was 
approximately  $26.1  million  (2007  $28.7  million). 


Equal  to  $30  million  net  income  (from  2007-08  financial  statements)  plus  $253  million  ABCP  provision  plus  $2  million  in 
ABCP  restructuring  costs  plus  other  miscellaneous  items  of  $2  million 

Equal  to  $30  million  net  income  (from  2007-08  financial  statements)  plus  $253  million  ABCP  provision  plus  $2  million  in 
ABCP  restructuring  costs  plus  other  miscellaneous  items  of  $2  million  less  10%  of  budgeted  net  income  ($26.1  million) 
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5.2  Liquidity 

5.2.1  Liquidity  reporting 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  agree  internally  on  a 
consistent  measure  of  liquidity  and  report  that  measurement  to  the  Board 
and  to  the  Department  of  Alberta  Finance  and  Enterprise  to  provide 
regular  and  fair  reporting. 


Liquidity  ratio  is 
main 

measurement  tool 


Background 

A  large  portion  of  ATB's  (and  all  financial  institutions)  liabilities  may  be  short- 
term  or  on  demand,  while  most  of  its  assets  are  invested  in  long-term  loans. 
Liquidity  risk  arises  due  to  the  mismatch  between  the  maturity  of  assets  (loans) 
and  liabilities  (deposits).  Therefore,  ATB  needs  to  have  sources  of  cash  to  meet 
short-term  demands.  This  is  why  managing  liquidity  is  critical.  We  describe 
liquidity  further  in  sections  6.3  and  6.9. 

The  liquidity  ratio  is  the  liquidity  measurement  tool  used  daily  by  ATB  to 
measure  its  liquidity.  It  is  calculated  as  liquid  assets  divided  by  total  assets. 
ATB's  tries  to  maintain  that  ratio  above  a  minimum  target  of  10%. 


Criteria:  the  standards  we  used  for  our  audit 

•  Management  should  report  comprehensively  and  regularly  on  the 
achievement  of  liquidity  objectives. 

•  The  Board  should  outline  the  content  and  frequency  of  liquidity  risk 
management  reporting  to  the  Board  by  management. 


Liquidity 
reporting  to  Board 
can  be  improved 


Different  results 
reported  to 
different  groups 


Illiquid  notes 
initially  included 
in  liquidity 
calculation 


Our  audit  findings 

ATB  does  not  consistently  calculate  and  report  its  liquidity  ratio. 

•  Management  reports  quarterly  to  the  Board  the  ratio  for  the  last  business 
day  of  the  quarter  and  provides  no  intra-quarter  information,  does  not 
identify  the  average  liquidity  position  for  the  quarter,  or  the  specific  dates 
and  daily  measurements  during  the  quarter  when  ATB  was  not  in 
compliance  with  its  minimum  liquidity  position. 

•  The  ATB  finance  department  calculate  and  report  ATB's  liquidity  position 
to  the  Audit  Committee  quarterly.  This  calculation  is  different  from  the 
calculation  performed  by  treasury  reported  to  ALCO,  Credit  and  Financial 
Risk  Committee  and  Alberta  Finance  and  Enterprise. 

•  Management  included  illiquid  floating  rate  and  extendible  notes  frozen  in 
August  2007  as  part  of  the  ABCP  market  disruption  as  liquid  assets  in  its 
liquidity  calculation  from  August  2007  to  March  2008.  These  notes  were 
illiquid  assets  during  that  time  period  and  should  not  have  been  included  as 
liquid  assets  in  the  calculation.  The  liquidity  reports  provided  to  ALCO,  the 
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Board  and  Alberta  Finance  and  Enterprise  for  this  period  showed  the 
liquidity  level  of  ATB  to  be  above  the  minimum  guideline.  When  the 
illiquid  notes  were  removed  from  the  calculation,  ATB's  liquidity  level  fell 
below  the  minimum  guideline  on  certain  days  during  the  period.  ATB 
informed  ALCO,  the  Board  and  Alberta  Finance  and  Enterprise  of  the 
mistake  in  March  2008. 

Implications  and  risks  if  recommendation  not  implemented 

The  Board  and  Alberta  Finance  and  Enterprise  may  not  be  aware  of  the 
liquidity  position  of  the  institution  and  how  management  is  managing  liquidity 
risks  if  they  do  not  get  regular,  fair,  comprehensive  and  accurate  reporting. 

5.2.2  Liquidity  simulations 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  further  expand  its  use  of 
liquidity  simulations  as  a  forward  looking  liquidity  risk  measurement  tool. 
We  also  recommend  that  ALCO  and  the  Board  oversight  committee 
consider  whether  the  results  of  liquidity  simulations  indicate  a  need  to 
modify  its  business  plan. 

Background 

Liquidity  simulations  are  forward  looking  liquidity  risk  measurement  tools  that 
provide  management  with  data  to  support  liquidity  management  and  funding 
decisions.  The  Alberta  Finance  and  Enterprise  Liquidity  Guideline  requires  that 
ATB  complete  two  scenarios  or  simulations:  the  going  concern  condition  and 
an  ATB  specific  disruption. 

Criteria:  the  standard  we  used  for  our  audit 

Management  should  develop  a  process  to  ensure  liquidity  risk  is  managed 
through  systems  of  internal  controls,  including  processes  to  identify,  measure, 
and  manage  liquidity  risks. 


Limited  liquidity 
simulations  are 
used 


Liquidity 
disruption 
scenarios  not 
modeled 


Our  audit  findings 

ATB  performs  limited  liquidity  simulations  as  part  of  its  liquidity  risk 
management  processes.  These  simulations  currently  include  increases  in  the 
loan  portfolio  modeled  against  decreases  in  deposits.  ATB  also  simulates  a 
going  concern  model  based  on  its  business  plan. 

ATB  has  not  modeled  ATB  specific  liquidity  disruption  scenarios  or  other 
useful  scenarios  such  as  the  impact  of  an  inability  to  borrow,  a  lack  of  liquidity 
in  its  investment  portfolio,  or  an  inability  to  raise  funds  through  the 
securitization  market. 
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Treasury  management  use  liquidity  simulations  performed  for  operational 
purposes  but  do  not  report  these  results  to  ALCO  or  the  Board  oversight 
committee. 


Contingency  plan 
describes  how  to 
deal  with 
abnormal 
situations 


Implications  and  risks  if  recommendation  not  implemented 

ATB  may  limit  its  ability  to  anticipate  and  develop  strategies  to  deal  with 
potential  liquidity  disruptions  by  not  implementing  expanded  liquidity 
simulations  as  a  regular  part  of  its  liquidity  risk  management  process. 

5.2.3  Liquidity  contingency  plan 
Recommendation  No.  13 

We  recommend  that  Alberta  Treasury  Branches  develop  a  comprehensive 
liquidity  contingency  plan  to  be  better  prepared  for  a  liquidity  crisis  and  to 
fully  comply  with  Alberta  Finance  and  Enterprise's  Liquidity  Guideline. 
The  plan  should  be  updated  and  approved  regularly. 


Background 

The  liquidity  contingency  plan  is  an  internal  document  describing  an 
organization's  approach  to  funding  and  abnormal  liquidity  situations.  The 
Alberta  Finance  and  Enterprise  Liquidity  Guideline  states  effective  contingency 
plans  should  consist  of  several  components: 

•     specific  procedures  to  ensure  timely  and  uninterrupted  information  flows  to 
senior  management; 

clear  division  of  responsibility  within  management  in  a  crisis; 
action  plans  for  altering  asset  and  liability  behaviours  (i.e.,  market  assets 
more  aggressively,  sell  assets  it  originally  intended  to  hold,  raise  interest 
rates  on  deposits) ; 

an  indication  of  the  priority  of  alternative  sources  of  funds  (i.e.,  designating 
primary  and  secondary  sources  of  liquidity) ; 

a  classification  of  borrowers  and  customers  according  to  their  importance 
to  the  company  to  maintain  customer  relationships;  and 
plans  and  procedures  for  communicating  with  the  media. 


Criteria:  the  standard  we  used  for  our  audit 

Management  should  develop  a  process  to  ensure  treasury  is  managed  through 
systems  of  internal  controls,  including  processes  to  identify,  measure,  and 
manage  treasury  risks. 
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Current  liquidity 
contingency  plan 
needs 

improvement 


Our  audit  findings 

The  current  liquidity  plan  documents  the  different  sources  of  funds  that  could 
be  available  over  the  immediate,  short  and  long  term.  The  current  plan  does  not 
include  several  of  the  components  required  by  the  guideline  including: 

•  specific  procedures  to  ensure  timely  and  uninterrupted  information  flows  to 
senior  management; 

•  clear  division  of  responsibility  within  management  in  a  crisis; 

•  a  classification  of  borrowers  and  customers  according  to  their  importance 
to  the  company  in  order  to  maintain  customer  relationships;  and 

•  plans  and  procedures  for  communicating  with  the  media. 

The  existing  plan  does  not  contain  up  to  date  information  on  the  level  of  bearer 
deposit  notes  and  medium  term  notes  to  which  ATB  has  access.  There  is  also  no 
formal  process  to  periodically  update  and  approve  the  plan. 

Liquidity  contingency  plans  in  financial  institutions  would: 

•  Provide  an  overview  of  the  organization's  approach  and  philosophy 
regarding  the  funding  of  its  on-going  "normal"  business  activities: 

preferred  funding  sources  and  other  funding  sources, 
funding  diversification, 
maturity  limits, 
uses  of  funding. 

•  Identify  a  range  of  possible  liquidity  scenarios  that  represent  elevated 
levels  of  liquidity  risk  to  the  organization. 

•  Describe  the  "early  warning  signals"  that  would  result  in  the  organization 
defining  itself  in  a  liquidity  crisis  and  at  which  level  of  a  liquidity  crisis. 

•  Discuss  the  procedures  to  monitor  these  triggers. 

•  Define  escalation  procedures  from  one  level  of  liquidity  crisis  to  the  next. 

•  Describe  different  strategies  and  action  plans  that  management  may 
consider  in  each  level  of  a  liquidity  crisis. 

•  Identify  escalated  monitoring  procedures  and  management  practices  and 
responsibilities  during  the  liquidity  crisis. 

Examples  of  early  warning  signals  related  to  liquidity: 
Third  party  indicators 

•  Increase  in  funding  costs  and  a  decrease  in  the  availability  of  borrowing. 

•  Counterparties  begin  to  request  collateral  for  accepting  credit  exposure  to 
the  financial  institution. 

•  The  financial  institution  receives  requests  from  depositors  for  early 
withdrawal  of  their  funds. 
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Internal  indicators 

•  increased  volatility  in  liquidity  position. 

•  larger  variances  between  forecasted  and  actual  liquidity  levels. 

•  a  decline  in  financial  performance. 

•  increased  instances  of  early  maturity  of  investments  to  meet  liquidity 
requirements. 

•  unanticipated  excess  cash  levels. 

•  a  negative  trend  or  significantly  increased  risk  in  any  area  or  product  line. 

Implications  and  risks  if  recommendation  not  implemented 

ATB  may  be  less  prepared  to  identify  and  manage  liquidity  risk  if  its  liquidity 
contingency  plan  is  not  comprehensive. 

5.3  Interest  rate  risk 

5.3.1  Interest  rate  risk  reporting 
Recommendation  No.  14 

We  recommend  that  Alberta  Treasury  Branches  provide  better— more 
qualitative  and  quantitative— reporting  to  senior  management  and  the 
Board  on  its  interest  rate  risk  management. 

Background 

We  describe  interest  rate  risk  in  section  6.3.  Reporting  on  interest  rate  risk  to 
senior  management  and  the  Board  is  important  because  it  may  indicate  a  need 
for  ATB  to  modify  its  risk  management  and  product  pricing  strategies. 

Criteria:  the  standards  we  used  for  our  audit 

•  Management  should  report  comprehensively  on  the  achievement  of  interest 
rate  risk  management  objectives. 

•  The  Board  should  outline  the  content  and  frequency  of  interest  rate  risk 
management  reporting  to  the  Board  by  management. 


Limited  interest 
rate  risk  reporting 
is  provided 


Our  audit  findings 

Management  provides  limited  interest  rate  risk  (IRR)  reporting  to  ALCO  and 
the  Board.  Management  reports  to  ALCO  and  the  Board  the  impact  on  net 
income  and  the  market  value  of  equity22  of  downward  interest  rate  movements 
of  100  and  200  basis  points.  The  current  reporting  also  provides  information 


22  Market  Value  of  Equity  (MVE)  provides  a  measure  of  the  underlying  value  of  the  bank's  current  equity  position  and  seeks 
to  evaluate  the  sensitivity  of  that  equity  value  to  changes  in  interest  rates.  This  measurement  approach  focuses  on  how  the 
economic  value  of  all  bank  assets,  liabilities  and  interest  rate  related,  off  balance  sheet  instruments  change  with  the 
movement  of  interest  rates.  The  MVE  equals  the  present  value  of  their  future  cash  flows.  By  evaluating  changes  in  interest 
rates,  one  can  estimate  the  change  in  a  bank's  economic  value. 


Report  of  the  Auditor  General  of  Alberta— October  2008 


131 


Finance 


ATB  Financial— treasury  management 


regarding  compliance  with  IRR  limits.  However,  the  current  reporting  does  not 
include  the  following  information: 

•  all  major  sources  of  IRR  exposure. 

•  material  movements  in  the  IRR  sensitivity  from  one  reporting  period  to  the 
next. 

•  historical  IRR  exposure  or  trends. 

•  an  evaluation  of  past  IRR  strategies  and  potential  new  strategies. 

Expanded  reporting  will  allow  senior  management  and  the  Board  to  understand 
specific  reasons  for  the  IRR  results  and  assist  them  in: 

•  comparing  results  to  those  of  the  previous  periods. 

•  assessing  the  viability  of  new  strategies  and  the  results  of  previous 
strategies. 

•  reassessing  whether  the  limit  structure  in  place  continues  to  be  appropriate 
given  any  current  trends. 

Implications  and  risks  if  recommendation  not  implemented 

The  ability  of  senior  management  and  the  Board  to  make  strategic  decisions  on 
interest  rate  risk  management  and  the  appropriateness  of  risk  mitigation 
strategies  may  be  limited  without  good  information-both  quantitative  and 
qualitative. 

5.3.2  Interest  rate  risk  model  assumptions 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  improve  processes  for 
creating,  applying  and  validating  assumptions  used  in  its  interest  rate  risk 
models. 


Modeling  output 
is  useful  in 
decision  making 


Modeling  is  an 
assumption  driven 
process 


Background 

Interest  rate  risk  modeling  provides  management  with  information  to  evaluate 
how  sensitive  ATB's  net  income  and  the  value  of  its  balance  sheet  are  to 
changes  in  interest  rates.  Management  develops  product  pricing  and  hedging 
strategies  based  on  the  information  from  its  modeling  process.  For  example, 
management  makes  decisions  to  purchase  derivatives  to  hedge  interest  rates 
based  on  model  output. 

Interest  rate  risk  modeling  is  an  assumption  driven  process.  Assumption  risk 
represents  a  significant  risk  to  the  measurement  of  interest  rate  risk  and  can 
potentially  result  in  very  different  risk  measurements.  For  financial  institutions, 
the  preferred  method  of  developing  modeling  assumptions  is  to  collect  and 
perform  analysis  of  historical  data.  Analytical  approaches  are  used  to  perform 
analysis  of  the  data  with  the  objective  of  defining  scenario  specific 
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assumptions.  All  assumptions  become  dated  over  time,  so  it  is  critical  to 
provide  for  the  ongoing  collection  of  data  and  periodic  analysis  of  data  to 
calibrate  the  assumptions. 

The  key  modeling  assumptions  used  by  ATB  in  its  interest  rate  risk  modeling 
are  its: 

•  balance  sheet  growth  assumptions. 

•  loan  prepayment  assumptions. 

•  market  value  of  equity  assumptions  for  non-maturity  deposits. 
Criteria:  the  standard  we  used  for  our  audit 

Management  should  develop  a  process  to  ensure  interest  rate  risk  is  managed 
through  systems  of  internal  controls,  including  processes  to  identify,  measure, 
and  manage  interest  rate  risks. 


Data  needs  to  be 
captured  to 
support 

assumptions  used 


Our  audit  findings 

Data  used  to  develop  assumptions  made 

ATB  does  not  have  the  historical  data  or  the  analytical  resources  to  perform  the 
level  of  comprehensive  analysis  required  to  support  institution  and  scenario 
specific  modeling  assumptions.  Currently,  modeling  assumptions  used  are 
based  on  management  judgment,  conversations  with  peers  at  other  financial 
institutions  and  limited  analysis.  Data  used  in  the  models  do  not  capture  the 
optionality  characteristics  for  ATB  deposit  and  loan  products.  For  example, 
certain  deposit  and  loan  products  have  interest  rate  caps  and  floors  that 
management  is  not  modeling. 


Review,  update  and  approval  of  assumptions 
ATB  does  not  have: 

•  formal  processes  to  review,  update  and  approve  model  assumptions  used. 

•  change  control  procedures  over  changes  of  model  assumptions  and  model 
settings  in  the  system 


Assumption 
processes  could  be 
improved 


Reporting  of  assumptions 

Information  on  key  model  assumptions,  sensitivity  analysis  (or  the  potential 
impact  of  assumption  error),  changes  to  assumptions,  and  the  reasons  for  and 
impact  of  changes  in  assumptions  is  not  provided  to  ALCO  or  the  Board's 
Credit  and  Financial  Risk  Committee. 


Back-testing  is 
needed 


Comparison  of  assumptions  to  actual  results 

ATB  does  not  have  a  process  to  compare  its  assumptions  to  actual  results  to 
assess  the  accuracy  of  assumptions  used. 
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Implications  and  risks  if  recommendation  not  implemented 

Management  may  base  their  product  pricing  and  risk  mitigation  decisions  on 
unreliable  information  if  interest  rate  risk  modeling  assumptions  are  inaccurate. 

5.3.3  Interest  rate  risk  modeling  and  stress  testing 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  define  its  significant 
interest  rate  risk  exposures  and  model  those  significant  exposures  to  assess 
the  effects  on  future  financial  results. 

Background 

Interest  rate  risk  modeling  and  stress  testing  provides  management  with  insights 
into  determining  the  impact  of  scenarios  on  the  organization  and  assessing  what 
scenarios  are  potentially  stressful  to  the  organization.  This  helps  management 
develop  meaningful  strategies  to  deal  with  these  scenarios.  Additionally,  stress 
testing  allows  management  to  identify  early  warning  signals  management  can 
monitor  to  determine  if  a  stress  scenario  is  developing. 

The  following  definitions  and  discussion  will  help  readers  understand  what 
interest  rate  risk  is  and  how  it  arises.  Interest  rate  risk  can  take  many  forms  and 
arises  based  on  the  nature  and  mix  of  an  institution's  products  and  activities. 
Interest  rate  risk  exposure  can  be  broken  down  into: 

Re-pricing  risk — re-pricing  risk  occurs  due  to  the  timing  of  interest  rate 
changes  and  maturities  which  can  occur  in  a  rising,  declining  or  flat  interest  rate 
environment.  Re-pricing  risk  is  often  the  most  noticeable  form  of  interest  rate 
risk  for  a  financial  institution. 

Basis  risk — Basis  risk  occurs  in  variable  interest  rate  products  when  the  interest 
rate  spread  between  two  different  rates  widens  or  contracts.  Since  variable  rate 
products  are  indexed  to  either  a  market  index  or  an  internally  managed  rate 
certain  indices  may  lag  the  market  rate  movements  which  can  slow  or 
accelerate  the  impact  of  basis  risk. 

Yield  curve  risk — Yield  curve  risk  occurs  due  to  changes  in  the  shape  of  the 
yield  curve.  Possible  examples  of  changes  in  the  shape  of  the  yield  curve  are: 
flattening,  steepening  and  declining. 

Option  risk — Option  risk  occurs  when  a  customer  or  the  financial  institution 
has  the  ability  to  alter  transaction  terms  and  cash  flows.  In  general,  options  will 
only  be  exercised  if  there  is  a  benefit  to  be  gained  by  the  holder  of  the  option. 
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Common  examples  of  product  options  are  prepayments  for  loans  or  interest  rate 
commitments. 

Criteria:  the  standard  we  used  for  our  audit 

Management  should  develop  a  process  to  ensure  interest  rate  risk  is  managed 
through  systems  of  internal  controls,  including  processes  to  identify,  measure, 
and  manage  interest  rate  risks. 


Certain  risks  are 
not  modeled 


Our  audit  findings 

Interest  rate  risk  modeling 

ATB  does  not  currently  model  basis  and  option  risk  and  has  not  assessed 
whether  these  risks  are  material  to  ATB. 


Limited  stress 
testing  performed 


Meaningful 
scenarios  need  to 
be  defined 


Interest  rate  risk  stress  scenarios 

ATB  performs  limited  interest  rate  risk  stress  scenarios  related  to  the  steepening 
and  flattening  of  yield  curves. 

Industry  trends  and  practices  are  for  management  to  define  meaningful  stress 
scenarios  that  apply  to  the  organization.  This  is  a  customized  process  because 
what  is  stressful  to  one  organization  may  not  be  that  material  to  another 
organization.  Examples  of  stress  testing  used  by  other  financial  institutions 
include,  but  are  not  limited  to: 

a)  Extreme  changes  in  market  rates  (e.g.  300  basis  point  or  more) 

b)  Significant  changes  in  the  mix  of  the  balance  sheet  holdings  (e.g.,  rapid 
loan  growth  combined  with  declining  levels  of  deposits) 

c)  External  events  (e.g.  rapid  acceleration  of  prepayment  speeds) 

d)  Inability  to  raise  funding  or  a  sudden  and  rapid  loss  of  deposits/funding 

e)  Other  events  (e.g.  weather,  terrorism,  changes  in  competitive  environment, 
etc.) 

f)  Inability  to  access  the  securitization  markets 

g)  Significant  and  rapid  changes  in  the  national  or  provincial  economy 

h)  Unexpected  and  significant  losses  due  to  credit,  operational  or  other  forms 
of  risk 

i)  A  range  of  possible  basis  risk  scenarios.  Approaches  commonly  used 
include  testing  for  the  widening  of  a  basis  risk  spread  or  a  negative  basis 
risk  spread. 

j)    Unusual  changes  in  the  shape  of  the  yield  curve  (e.g.  steepening,  flattening, 
etc.). 

k)    A  combination  of  some  or  all  of  the  above 
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Implications  and  risks  if  recommendation  not  implemented 

If  ATB  does  not  perform  periodic  scenarios  to  evaluate  its  potential  interest  rate 
risk  exposure  from  different  sources,  management  may  not  be  fully  aware  of  its 
interest  rate  risk  exposures  resulting  in  unexpected  financial  losses. 

5.3.4  Interest  rate  risk  controls 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  put  in  place  controls 
necessary  to  ensure  consistent  measurement  of  interest  rate  risk. 

Criteria:  the  standard  we  used  for  our  audit 

Management  should  develop  a  process  to  ensure  interest  rate  risk  is  managed 
through  systems  of  internal  controls. 

Our  audit  findings 

Input  controls — Approximately  500  market  rates  are  manually  entered  into  the 
interest  rate  risk  management  system  on  a  monthly  basis  and  there  is  no  second 
level  review  for  accuracy  of  the  data  entered.  Assumptions  are  also  entered  into 
the  model  and  there  is  no  second  level  review  for  accuracy  of  assumptions 
entered. 

Review  and  approval— ATB  does  not  maintain  documentation  of  the  review 
and  approval  of  the  interest  rate  risk  modeling  results. 

Change  management  controls— A  formal  change  management  system  for 
changes  to  model  settings  and  assumptions  does  not  exist. 

Access  controls— Multiple  ATB  staff  share  one  user  name  and  password  for  the 
interest  rate  risk  modeling  system  reducing  the  effectiveness  of  any  audit  tools 
in  the  modeling  software  which  track  changes  to  data  and  system  configuration. 

Implications  and  risks  if  recommendation  not  implemented 

The  output  of  the  interest  rate  risk  model  may  be  inaccurate  if  the  controls  over 
data  input,  change  management,  staff  access,  and  reviews  and  approvals  do  not 
exist. 
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Role  of  the  middle 
office 


Segregation  of 
duties  and 
monitoring  can  be 
improved 


5.4  Global  recommendations  that  cross  different  treasury  functions 
5.4.1  Role  and  use  of  middle  office 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  expand  the  role  of  its 
middle  office23  to  include  responsibilities  for  monitoring  interest  rate  risk. 
We  also  recommend  that  management  ensure  the  middle  office  has  the 
necessary  resources  to  monitor  foreign  exchange  activities  and  f  ulfill  its 
other  responsibilities. 

Background 

The  middle  office  was  a  department  established  by  ATB  in  2006  to  monitor 
market  risk  and  certain  policy  requirements  for  derivative  activities.  In  treasury, 
segregation  of  duties  should  exist  between  the  front  office,  which  executes 
trades  in  the  market,  the  back  office,  which  settles  those  trades,  and  a  middle 
office,  which  monitors  risk  and  compliance  with  certain  policies  and  limits. 
ATB's  middle  office's  initial  role  was  expanded  in  2007-08  to  include 
monitoring  of  investments  and  foreign  exchange  activities. 

Criteria:  the  standard  we  used  for  our  audit 

Management  should  develop  a  process  to  ensure  treasury  is  managed  through 
systems  of  internal  controls,  including  processes  to  identify,  measure,  and 
manage  treasury  risks. 

Our  audit  findings 

ATB's  core  treasury  group  monitors  and  reports  on  interest  rate  risk  exposure. 
That  same  group  also  creates  the  hedging  strategy  and  executes  corporate 
derivative  transactions  that  hedge  interest  rate  risk  exposures.  Monitoring 
should  be  transitioned  to  the  middle  office  to  better  segregate  transaction 
initiation,  monitoring  and  reporting  duties  and  ensure  an  independent  review  of 
compliance  with  interest  rate  risk  limits.  The  execution  of  corporate  derivative 
transactions  should  also  be  segregated  to  GFM. 

The  head  foreign  exchange  trader  currently  executes  foreign  exchange  trades, 
monitors  risk  and  reports  on  ATB's  foreign  exchange  exposures.  Foreign 
exchange  exposures  are  reported  daily  to  the  middle  office  but  resource 
constraints  have  limited  the  middle  office's  ability  to  actively  monitor  risk  in 
this  area. 


23  The  Middle  Office  monitors  market  risk,  values  securities  and  derivatives,  and  ensures  compliance  with  certain  treasury 
limits/policies 


Report  of  the  Auditor  General  of  Alberta— October  2008 


137 


4i 

i 

Finance  ATB  Financial — treasury  management 

i 

More  resources  xhe  middle  office  has  numerous  responsibilities  in  the  current  derivative 

fulfilHttrole              (October  2006)  and  investment  (November  2007)  policies.  Middle  office  is  @ 

required  to  regularly  perform  simulations  of  the  derivative  portfolio  and  0 

develop  derivative  stress  testing.  These  processes  have  not  been  regularly  g 
performed  or  formally  developed.  The  investment  policy  requires  middle  office 
to  perform  stress  testing.  This  has  also  not  been  completed. 

Implications  and  risks  if  recommendation  not  implemented 

ATB  may  not  appropriately  monitor  and  manage  its  derivative,  interest  rate,  and  C 

foreign  exchange  risks  if  adequate  resources  are  not  available  and  if  proper  @ 

segregation  of  duties  is  not  present.  ^ 

5.4.2  Treasury  information  systems  ^ 

Recommendation  @ 

We  recommend  that  Alberta  Treasury  Branches:  0 

•  evaluate  its  current  treasury  information  systems  against  its  business  @ 
requirements  ^ 

•  develop  and  implement  a  treasury  information  technology  plan  to 

upgrade  its  tools  ^ 

Background  C 

Various                   ATB  treasury  uses  a  number  of  information  systems  and  over  100  spreadsheets  r 

information  ,    ,   ,    ..  ...  ..  ... 

systems  are  used            t0  helP 11  mana§e  ltS  treaSUry  activities.  c 

Criteria:  the  standard  we  used  for  our  audit  ^ 

Management  should  develop  a  process  to  ensure  treasury  is  managed  through  C 

systems  of  internal  controls  including  development  and  implementation  of  C 

management  reporting  systems.  q 

Our  audit  findings 

Time  is  spent             ATB  spends  significant  time  compiling  data  from  multiple  systems  and  sources  ^ 

analyzing                 which  reduces  time  available  to  analyze  data  and  monitor  risk.  Currently,  ATB  I 

does  not  have  an  integrated  treasury  management  information  system.  Multiple  C 

information  systems  and  spreadsheets  are  used  by  treasury  and  middle  office  @ 

staff.  The  current  use  of  spreadsheets  and  multiple  information  systems  exposes  ^ 

ATB  to  operational  risk  (the  risk  of  loss  resulting  from  inadequate  or  failed  ^ 
internal  processes,  people  and  systems,  or  from  external  events). 

C 

Observations              vVe  noted  the  following  recurring  observations  related  to  ATB's  treasury  C 

information  systems:  r 

•  Real  time  reporting  of  positions  and  exposures  is  not  available. 

•  The  same  information  is  maintained  in  multiple  information  systems.  ^ 

  I 
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•  Data  is  manually  entered  into  one  system  and  then  re-entered  into  another 
system  as  automated  interfaces  do  not  exist. 

•  Calculations  of  interest  on  certain  investments  require  manual  intervention 
and  adjustment. 

•  Certain  derivatives  can  only  be  valued  monthly  because  of  the  time 
required  to  value  these  instrument  daily. 

•  A  significant  amount  of  reliance  is  placed  on  spreadsheets  accessed  by 
multiple  people  increasing  the  risk  that  data  could  be  over-written  or  lost. 

Implications  and  risks  if  recommendation  not  implemented 

•  Operational  risk  in  treasury  is  increased  because  of  the  significant  use  of 
spreadsheets  and  the  poor  internal  controls  associated  with  spreadsheets. 

•  The  effectiveness  of  ATB  treasury  staff  is  reduced  because  of  the  limited 
real  time  reporting  currently  available  and  the  time  spent  compiling  data 
from  multiple  information  systems  and  sources  rather  than  analyzing  and 
interpreting  information. 

5.4.3  Treasury  policies 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  implement  the  updated 
investment  and  derivatives  policies  for  changes  arising  from  its  recent 
review  of  those  policies.  We  also  recommend  that  ATB  review  the  financial 
risk  management  policy. 

Background 

Treasury  operates  under  the  investment,  derivatives,  and  financial  risk 
management  policies.  The  policies  are  presented  and  recommended  by 
management  for  approval  by  the  Board  annually. 

Criteria:  the  standard  we  used  for  our  audit 

Management  should  develop  and  implement  appropriate  treasury  policies  which 
support  the  achievement  of  ATB's  objectives. 

Our  audit  findings 

ATB  has  treasury  policies  in  place  but  we  have  identified  the  following 
weaknesses  with  the  treasury  policies  examined: 

•  Derivative  policy  (October  2006) 

•  Investment  policy  (November  2007) 

•  Investment  policy  (October  2006) 


Report  of  the  Auditor  General  of  Alberta— October  2008  1 39 


Finance  ATB  Financial — treasury  management 


•  Financial  risk  management  policy24  (November  2007). 
Investment  policies 

The  October  200625  investment  policy  contained  the  following  weaknesses: 

•  ATB's  investment  objectives  and  risk  philosophy  were  not  clearly  stated. 
The  objective  of  preservation  of  capital  was  not  clearly  stated.  The  policy 
describes  the  risk  philosophy  as  realizing  the  highest  yield  available  while 
observing  the  conservative  credit  risk  limits  and  guidelines  approved  by  the 
Board. 

•  Portfolio  diversification  limits  were  in  place  however  the  limits  did  not 
allow  for  true  diversification  as  the  investment  portfolio  limit  for  asset 
backed  commercial  paper  was  set  at  60%  of  the  portfolio. 

•  Roles,  responsibilities  and  reporting  were  not  well  defined  in  the  policy. 
The  policy  referred  to  reporting  to  be  provided  to  ALCO  and  the  Board  but 
did  not  specify  what  information  should  be  contained  in  these  reports.  In 
fact,  the  Board  never  did  see  the  detailed  listing  of  investment  holdings 
until  after  the  market  disruption  in  August  2007.  The  policy  listed 
responsibilities  of  management  and  the  middle  office  but  did  not  delegate 
certain  tasks  to  specific  job  titles  or  positions. 

•  Investments  were  allowed  to  be  placed  on  the  approved  investment  listing 
based  on  an  acceptable  credit  rating  from  only  one  external  credit  rating. 

The  investment  policy  approved  in  November  2007  corrected  a  number  of 
weaknesses  in  the  October  2006  investment  policy.  However,  we  noted  the 
following  weaknesses  with  the  November  2007  investment  policy: 

•  The  policy  is  not  clear  on  when  hedging  of  the  investment  portfolio  should 
be  performed. 

•  It  is  not  clear  in  the  policy  how  the  portfolio  will  be  evaluated  and  what  are 
ATB's  rate  of  return  expectations. 

•  The  methodology  used  for  stress  testing  the  investment  portfolio  is  not 
defined  and  the  limits  used  and  reporting/action  steps  to  be  taken  are  not 
clearly  outlined.  The  frequency  of  stress  testing  is  also  not  clearly  defined. 

Derivative  policy 

We  also  examined  the  derivative  policy  dated  October  2006  in  place  from 
October  2006  through  to  August  2008  and  noted  the  following  weaknesses  with 
the  policy: 


The  financial  risk  management  policy  contains  ATB's  policy  on  liquidity,  asset  liability  management  (interest  rate  risk 
management)  and  foreign  exchange. 

25  We  examined  the  October  2006  investment  policy  because  it  was  the  policy  in  place  when  the  ABCP  market  disruption 
occurred.  It  was  revised  and  updated  in  November  2007. 
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The  policy  includes  both  the  corporate  and  client  derivative  programs 
making  it  unclear  in  certain  areas  of  the  policy  what  rules  apply  to  which 
program. 

The  derivative,  credit,  and  financial  risk  management  policies  all  contain 

information  on  derivatives  which  makes  the  policies  fragmented. 

The  policy  mentions  that  stress  tests  and  simulations  should  be  performed 

but  is  not  clear  on  what  those  should  be,  who  should  perform  them,  and  any 

limits  to  be  used  that  would  require  further  management  actions. 

The  policy  contains  a  significant  amount  of  procedural  requirements  that 

should  be  moved  to  operating  procedures. 

While  not  explicitly  part  of  the  policy  review,  we  did  note  that  operating 
procedures  have  not  been  defined  by  ATB  for  the  monitoring  of  collateral 
obligations  when  collateral  limits  for  derivative  counterparties  have  been 
exceeded. 


Financial  risk  management  policy 

The  financial  risk  policy  contains  ATB's  policies  for  liquidity,  foreign 
exchange  and  interest  rate  risk  management.  This  policy  has  several 
deficiencies: 

•  The  policy  is  procedural  in  nature  and  does  not  clearly  describe  the  roles 
and  responsibilities  of  management,  ALCO  and  the  Board  for  risk 
management. 

•  The  policy  contains  minimal  information  on  the  use  of  limits  for  liquidity 
and  interest  rate  risk  management.  The  use  of  warning  signals  and 
escalation  procedures  are  not  well  defined. 

•  The  policy  discusses  scenario  testing  to  be  performed  but  does  not  in  all 
cases  describe  what  scenario  tests  will  be  performed,  frequency  of  the  tests, 
and  how  the  results  of  those  tests  will  be  reported. 

•  The  foreign  exchange  section  of  the  policy  does  not  describe  ATB's 
foreign  exchange  objectives. 

Revisions  to  investment  and  derivative  policies 

In  spring  2008,  ATB  engaged  an  international  accounting  firm  to  assist  it  with 
reviewing  and  revising  its  investment,  derivatives  and  credit  policies.  These 
revisions  were  drafted  throughout  the  summer  of  2008  and  will  be  presented  to 
the  Board  for  approval  in  August  2008. 

Implications  and  risks  if  recommendation  not  implemented 

Management  decisions  and  actions  may  not  be  within  the  risk  tolerance  of  the 
organization  if  policies  are  not  clear  and  well  designed. 
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5.4.4  RoleofALCO 
®"=33'         Recommendation  No.  15 

We  recommend  that  Alberta  Treasury  Branches  review  the  role  of  the 
Asset  Liability  Committee  (ALCO)  and  consider  restructuring  it  into  two 
tiers. 

Background 

ALCO  is  currently  responsible  for: 

•  Establishing  the  minimum  and  maximum  interest  rates  for  all  deposit  and 
loan  programs. 

•  Managing  and  monitoring  of  interest  rate  risk. 

•  Approving  terms,  conditions  and  pricing  of  all  loan  and  deposit  programs 
as  they  relate  to  asset/liability  management. 

•  Monitoring  risk  management  for  liquidity,  short  term  investments,  long 
term  investments,  foreign  exchange  deposit  limits  and  derivatives. 

•  Approving  the  level  of  liquid  assets  held  as  collateral  to  secure  potential 
advances  from  the  Bank  of  Canada. 

ALCO  meets  weekly  and  focuses  on: 

•  Review  of  investment  portfolio  limits. 

•  Discussion  of  economic  outlook. 

•  Review  of  balance  sheet  and  product  pricing  matters. 

•  Overview  of  the  asset  liability  management  report. 

Criteria:  the  standard  we  used  for  our  audit 

Management  should  develop  a  process  to  ensure  treasury  is  managed  through 
systems  of  internal  controls,  including  processes  to  identify,  measure,  and 
manage  treasury  risks. 


Meetings  are 
operational 

Strategic 

discussion 

minimal 

All  members  of 
the  committee  did 
not  attend 
meetings 


Our  audit  findings 

From  our  review  of  meeting  minutes  between  April  2007  and  April  2008  and 
our  attendance  at  the  June  25,  2008  ALCO  meeting  we  noted: 

•  The  meetings  are  generally  operational  in  nature  and  focused  on  limit 
compliance,  operational  updates  and  product  pricing  decisions. 

•  Substantive  discussion  regarding  treasury  strategy,  the  drivers  of  risk,  or 
the  impact  of  the  information  on  the  overall  management  of  the  risk  profile 
of  ATB  was  minimal. 

•  The  terms  of  reference  identify  the  senior  executives  that  are  on  the 
Committee.  They  are  the  Treasurer,  CEO,  former  Chief  Operating  Officer, 
VP-Marketing,  Executive  VP-Credit,  Director  of  Treasury,  VP-GFM  and 
VP-Legal  Services.  The  VP-Internal  Audit  is  an  observer. 
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Industry  trends  are 
for  ALCO  to  be 
split  into  strategic 
ALCO  and  tactical 
ALCO 


These  senior  executives,  outside  of  the  Treasurer,  VP-GFM  and  Director  of 
Treasury,  rarely  attended  the  meetings.  They  sent  delegates  in  their  place. 
All  ATB  business  lines  are  not  represented  on  the  committee. 

Industry  trends  and  practices  for  ALCO 

Recognizing  the  importance  of  both  tactical  and  strategic  discussions  and 
decision  making  and  that  it  is  difficult  to  accomplish  both  in  the  same  forum, 
many  financial  institutions  have  transitioned  to  a  two  tier  ALCO  structure.  This 
structure  is  as  follows: 

•  Tactical  ALCO— meets  weekly  and  focuses  on  tactical  issues  such  as 
transaction  review/approval,  product  pricing  decisions  and  other  matters 
that  require  frequent  overview  or  decisions.  Membership  is  a  combination 
of  senior  and  mid  level  management. 

•  Strategic  ALCO— membership  includes  executive  management  personnel 
only.  Meets  monthly  and  focuses  on  more  strategic  issues  such  as: 

a)  Detailed  discussion  of  the  risk  profile  and  reasons  for  changes  related 
to  interest  rate  risk,  liquidity  risk,  and  investment  portfolio  decisions. 

b)  Determine  how  this  information  can  be  leveraged  to  make  informed 
risk  decisions  regarding  the  management  of  the  organization. 

c)  Discuss,  evaluate  and  potentially  approve  possible  risk  mitigation  and 
balance  sheet  management  strategies. 

d)  Evaluate  the  effectiveness  of  previously  approved  risk  mitigation 
strategies. 

Implications  and  risks  if  recommendation  not  implemented 

Strategic  direction  and  risks  related  to  treasury  may  not  be  managed 
appropriately  without  the  attention  and  involvement  of  senior  executives  across 
all  business  lines. 

5.5  Derivatives 

5.5.1  Internal  audit  program 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  internal  audit  department 
regularly  examine  all  types  of  Alberta  Treasury  Branches'  derivative 
activities  to: 

•  promptly  identify  and  rectify  internal  control  weaknesses 

•  fully  comply  with  the  Alberta  Finance  and  Enterprise  Derivatives  Best 
Practices  Guideline 
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Background  ' 

Guideline  requires  xhe  Alberta  Finance  and  Enterprise  Derivatives  Best  Practices  Guideline  dated  * 
inspections  January  2008  has  several  requirements  for  ATB  related  to  internal  inspection  I 

programs,  including:  f 

•  A  requirement  for  ATB  to  have  an  internal  inspection  program  that  I 
includes  coverage  of  its  financial  derivatives  activities  that  ensures  timely 
identification  of  internal  control  weaknesses  and  operating  system 

deficiencies.  I 

•  The  internal  inspection  function  must  be  independent  of  the  functions  and  I 
controls  it  inspects.  I 

•  Internal  inspection  coverage  should  be  provided  by  competent  I 
professionals  who  are  knowledgeable  of  the  risks  inherent  in  derivatives. 

We  have  identified  ATB's  internal  audit  department  as  the  internal  inspection  * 
function. 

C 

Criteria:  the  standards  we  used  for  our  audit 

•  Management  should  develop  a  process  to  ensure  that  an  independent  ~ 
function  periodically  reviews  and  assesses  its  derivative  activities. 

•  Management  should  develop  and  implement  appropriate  derivative  policies  i 
which  support  the  achievement  of  ATB's  objectives,  including  compliance  f 
with  Alberta  Finance  and  Enterprise  Guidelines.  « 

Our  audit  findings 

beencomTeted           ATB  S  internal  audit  has  not  audited  a11  tyPes  of  ATB's  derivative  activities  and  C 

ATB  is  not  complying  with  this  requirement  contained  within  the  Alberta  C 

Finance  and  Enterprise  Derivatives  Best  Practices  Guideline.  Management  has  G 

informed  us  that  ATB's  internal  audit  department  started  an  audit  of  ATB's  C 
client  derivative  activities  in  the  summer  of  2008. 

C 

Implications  and  risks  if  recommendation  not  implemented  ^ 

•  Internal  control  weaknesses  and  operating  deficiencies  may  go  unnoticed  if  i 
regular  independent  inspections  are  not  performed.  6 

•  A  risk  exists  that  ATB  is  not  fully  complying  with  the  Alberta  Finance  and  £ 
Enterprise  Derivatives  Best  Practices  Guideline.  ^ 

6.  Background  G 

6.1  ATB  background  and  regulatory  environment  ^ 

Provincially  ^TO  is  a  provincially  owned  full-service  financial  institution  operating  in  ® 

owned  financial  ,  ,  „  r  & 

institution  Alberta  with  assets  over  $24  billion  at  March  3 1 ,  2008.  As  a  crown  corporation,  " 

ATB  operates  under  the  provisions  of  the  Alberta  Treasury  Branches  Act  and  0 

G 

 ■    (3 
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Focus  of  audit  was 
on  treasury 
systems 


Board  approves 
policies  and 
management 
implements  them 


Treasury  has  three 
core  functions 


Treasury  risks 


Alberta  Treasury  Branches  Regulation  and  under  the  direction  of  a  board  of 
directors  appointed  by  the  Lieutenant  Governor  in  Council.  The  ATB  Board  of 
Directors  is  accountable  to  the  Alberta  Minister  of  Finance  and  Enterprise. 

Our  audit  focused  on  the  treasury  systems  within  ATB.  We  defined  the  treasury 
systems  as  the  systems  used  by  ATB  to  manage  interest  rate  risk,  financial  risk 
within  the  investment  portfolio,  foreign  exchange  risk,  liquidity  risk,  and  credit 
risk  related  to  ATB's  investment  and  corporate  derivative  portfolios. 

ATB's  Board  of  Directors  reviews  and  approves  the  investment,  derivative, 
credit  and  financial  risk  management  policies  of  the  institution.  Management 
implements  those  policies  through  the  design  of  systems,  processes  and  risk 
management  techniques  to  meet  the  requirements  of  its  regulatory  framework 
and  guidelines  issued  by  the  Alberta  Minister  of  Finance  and  Enterprise.  Three 
of  these  guideline  relate  specifically  to  treasury: 

1 .  Liquidity 

2.  Prudent  person  approach 

3.  Derivatives  best  practices 

6.2  Treasury  management 

Treasury  management  at  ATB  has  three  core  functions:  cash  management, 
funding  and  risk  management. 

•  Cash  management  refers  to  the  process  of  effectively  planning,  monitoring 
and  management  of  liquid  or  near-liquid  resources.  Cash  management  also 
involves  cash  flow  forecasting,  monitoring  daily  cash  requirements,  and 
investing  surplus  funds  or  borrowing  funds. 

•  Funding  involves  determining  funding  requirements,  raising  funds  and 
liability  management. 

•  Risk  management  is  the  process  of  mitigating  risks  that  the  organization 
does  not  want  to  completely  assume. 

6.3  Financial  institution  treasury  risks 

As  a  financial  institution,  ATB  is  exposed  to  the  following  risks: 

•  Credit  risk — that  a  counterparty  will  cause  a  financial  loss  for  ATB  by 
failing  to  discharge  a  financial  or  contractual  obligation. 

•  Market  risk — that  ATB  may  incur  a  loss  caused  by  adverse  changes  in 
market  prices. 

•  Foreign  currency  risk — that  ATB  may  incur  a  loss  caused  because  of 
changes  in  foreign  exchange  rates. 

•  Interest  rate  risk— that  ATB  may  incur  a  loss  caused  because  of  changes  in 
market  interest  rates. 


Report  of  the  Auditor  General  of  Alberta— October  2008 


145 


Finance 


ATB  Financial — treasury  management 


Liquidity  risk — that  ATB  will  be  unable  to  meet  its  obligations  as  they 
come  due  or  fund  itself  at  economical  levels. 


Board  and  senior 

management 

committees 


Role  of  ALCO 


Role  of  Credit 
Committee 


Role  of  Board 
Committee 


6.4  Board  oversight  committee  and  senior  management  committees 

The  main  responsibility  for  managing  these  risks  rests  within  the  treasury  and 
credit  departments  of  ATB.  The  management  committees  that  oversee 
management  of  these  risks  are  the  Asset  Liability  Committee  (or  ALCO)  and 
the  Credit  Committee.  The  Board  oversight  committee  responsible  is  the  Credit 
and  Financial  Risk  Committee  of  the  Board  (CFRC). 

ALCO  is  responsible  for: 

•  Establishing  the  minimum  and  maximum  rates  of  interest  for  all  deposit 
and  loan  programs. 

•  Managing  and  monitoring  interest  rate  risk. 

•  Approving  terms,  conditions  and  pricing  of  all  loan  and  deposit  programs 
as  they  relate  to  asset/liability  management. 

•  Monitoring  risk  management  for  liquidity,  short  term  investments,  long 
term  investments,  foreign  exchange  deposit  limits  and  derivatives. 

•  Approving  the  level  of  liquid  assets  held  as  collateral  to  secure  potential 
advances  from  the  Bank  of  Canada. 

The  management  Credit  Committee  is  responsible  for  the  administration, 
monitoring  and  adjudication  of  all  of  ATB's  lending  programs  and  initiatives, 
and  is  charged  with  ensuring  at  all  times  that  the  highest  standards  are 
maintained  regarding  risk  assessment,  analysis  and  credit  risk  management. 

The  Board's  Credit  and  Financial  Risk  Committee  is  responsible  for  a  number 
of  things,  including: 

•  Reviewing  and  recommending  reasonable  and  prudent  investment  and 
lending  policies,  standards  and  procedures  to  avoid  undue  credit  risk  and 
potential  loss  and  to  obtain  a  reasonable  return. 

•  Reviewing  and  recommending  credit  risk  management  policies  for 
approval  by  the  Board. 

•  Reviewing  and  recommending  to  the  Board  for  approval  policies  related  to 
risks  surrounding  asset  liability  management,  liquidity,  interest  rate 
management,  foreign  exchange  and  the  investment  portfolio. 

•  Performing  an  annual  review  of  the  effectiveness  and  application  of  market 
risk  management  and  liquidity  risk  management  policies,  standards  and 
procedures. 
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6.5  Structure  and  senior  management  oversight  of  ATB's  treasury 
department 

The  executives  with  management  oversight  responsibility  for  ATB's  treasury 
department  were  the  former  CEO,  and  former  Treasurer.  The  former  CEO  was 
Bob  Normand  until  he  retired  in  June  2007  and  the  former  Treasurer  was 
Craig  Warnock,  who  left  ATB  in  May  2008. 

ATB's  treasury  group  is  structured  into  three  groups:  core  Treasury,  Global 
Financial  Markets  (GFM),  and  Treasury  Operations,  Settlements  and  Control. 
The  Credit  department  within  ATB  also  contains  a  middle  office  that  has 
responsibility  for  monitoring  certain  treasury  activities.  The  credit  department 
also  approves  credit  limits  for  counterparties  and  reviews  and  recommends  to 
the  Board  for  approval  the  investment,  derivative  and  credit  policies  of  ATB. 

•  Core  Treasury  has  responsibilities  for  liquidity  and  funding  solutions,  asset 
liability  management  and  corporate  derivatives. 

•  GFM  has  responsibility  for  investment  management,  foreign  exchange 
trading,  derivatives  trading,  and  money  market  activity. 

•  Treasury  Operations,  Settlements  and  Control  has  responsibility  for 
incoming  and  outgoing  wire  transfer  activity  and  transaction  support  and 
reporting  for  treasury  which  includes  investments,  corporate  derivatives 
and  client  derivatives. 

•  The  middle  office  within  the  credit  department  is  responsible  for 
monitoring  treasury  activities  within  ATB  and  valuing  ATB's  investments 
and  derivatives. 

•  The  credit  department  is  also  responsible  for  reviewing  credit  applications 
for  derivative  and  investment  counterparties.  This  is  a  new  initiative  for 
investments  starting  in  the  summer  2008  while  the  reviews  of  credit 
applications  for  derivative  counterparties  started  in  2006.  Credit  also 
reviews  and  makes  recommendations  for  approval  to  the  Board  of 
Directors  on  the  investment,  derivative  and  credit  policies. 


6.6  Investments 

Investments  ATB's  investment  portfolio  consists  of  debt  securities  used  for  short  term  cash 

management  purposes  and  deposits  with  other  financial  institutions.  ATB 
manages  its  investment  portfolio  within  its  investment  policy  and  the  Prudent 
Person  Guideline  issued  by  Alberta  Finance  and  Enterprise. 

On  March  31,  2008  the  carrying  value  of  the  investment  portfolio  was 
$3.1  billion  (March  31,  2007:  $2.7  billion).  The  portfolio  consists  of 
commercial  paper,  debt  securities  and  deposits  with  other  financial  institutions 
of: 
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Deposits  with  other  financial  institutions  $1.9  billion  (2007:  $1.0  billion) 
Paper  issued  or  guaranteed  by  the  Government  of  Canada  $161  million 
(2007:  $110  million) 

Third-party  sponsored  asset  backed  commercial  paper  $825  million  net  of 
the  $253  million  provision  for  losses  on  ABCP  (2007:  $1.2  billion) 
Bank-sponsored  asset  backed  commercial  paper  $76  million 
(2007:  $300  million) 

Corporate  paper  $182  million  (2007:  $1  million) 
Other  investments  $7  million  (2007:  $5  million) 


Interest  rate  risk 
management 
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Client  derivatives 
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6.7  Interest  rate  risk  management 

ATB's  objective  for  managing  interest  rate  risk  is  to  achieve  stable  earnings  and 
value  growth  through  active  management  of  its  asset  and  liability  positions.  In 
practice,  this  is  achieved  through  interest  rate  hedging  strategies  designed  to 
minimize  the  impact  that  changes  in  interest  rates  would  have  on  net  interest 
income  and  maintain  the  effects  of  changes  in  interest  rates  within  a  target  limit 
of  net  income.  Interest  rate  risk  is  modeled  and  monitored  to  allow  management 
to  make  risk  mitigation  and  product  pricing  decisions. 

6.8  Derivatives 

Derivatives  are  agreements  or  financial  contracts  whose  values  are  derived  from 
the  value  of  an  underlying  primary  index  such  as  interest  rates,  exchange  rates, 
commodities  and  equities.  Alberta  Treasury  Branches  Regulation  establishes 
the  derivative  activities  that  ATB  is  allowed  to  engage  in. 

ATB'  s  use  of  derivatives  consists  of  two  elements:  corporate  and  non-corporate 
derivatives. 

•  Corporate  derivatives  used  for  interest  rate  risk  management  consist 
generally  of  interest  rate  swaps  to  hedge  interest  rate  risk  and  equity 
options  to  hedge  the  market  risk  related  to  index  linked  deposit  products. 
Forward  foreign  exchange  products  are  used  to  manage  ATB's  foreign 
exchange  exposure. 

•  Non-corporate  derivatives  exist  under  ATB's  client  derivative  line  of 
business.  ATB  sells  derivative  products  (oil  and  natural  gas  forwards  and 
options)  to  its  clients  and  offsets  the  market  risk  of  those  products  by 
purchasing  an  offsetting  position  with  another  financial  institution. 

ATB  strives  to  manage  its  derivative  portfolio  in  accordance  with  the  Alberta 

Finance  and  Enterprise  Derivatives  Best  Practices  Guideline.  At 

March  31,  2008  the  fair  value  and  notional  amounts  of  corporate  derivatives 

was: 


148 


Report  of  the  Auditor  General  of  Alberta— October  2008 


Finance 


ATB  Financial— treasury  management 


Derivatives  at 
March  31,  2008 


Fair  value 

Notional 

Fair  value 

of 

principal 

of  assets 

liabilities 

amounts 

($  in  thousands) 

Interest  rate  contracts 

Options 

$  782 

$ 

$  131,080 

Swaps 

33;003 

5;804 

2,735,039 

Foreign  exchange  contracts 

Forwards 

195 

179 

19,992 

Equity  contracts 

Options 

47,200 

249,650 

6.9  Liquidity 

Liquidity  risk  The  Alberta  Treasury  Branches  Regulation  section  29  requires  that  ATB  shall 

have  and  keep  available  unencumbered  liquid  assets  in  accordance  with  the 
guidelines  whose  primary  objective  is  liquidity.  The  Minister  of  Finance  and 
Enterprise  issued  a  Liquidity  guideline  dated  July  2004  that  ATB  must  follow. 


Foreign  exchange 
activities 


6.10  Foreign  exchange 

ATB's  foreign  exchange  risk  exposure  is  limited  primarily  to  US  dollars  as 
ATB  has  cash,  investments  and  loans  denominated  in  US  dollars  which  are 
offset  by  US  dollar  deposits  of  its  customers. 


Report  of  the  Auditor  General  of  Alberta— October  2008 


149 


Finance  ATB  Financial — treasury  management 


1 50  Report  of  the  Auditor  General  of  Alberta— October  2008 


Health  and  Wellness 


Alberta's  mental  health  service  delivery  system 


The  system  faces 
serious  challenges 


Services  should 
reflect  PMHP 
principles 


Recommendations 
apply  to  AHS 
delivery  model 


Three  objectives 
for  this  work 


Alberta's  mental  health  service 
delivery  system 

1.  Summary 

The  mental  health  service  delivery  system  in  Alberta  faces  serious  challenges. 
Service  to  clients  and  patients  can  improve  by  making  access  to  the  system 
easier,  reducing  wait  times  for  many  programs  and  coordinating  care  better. 
Factors  such  as  the  stigma  attached  to  mental  illness,  its  chronic  nature,  and  the 
transfer  of  responsibility  for  care  delivery  between  service  providers  combine  to 
keep  mental  health  in  the  background.  Mental  health  staff  and  administrators 
advocate  a  client  focused  system  that  balances  care  delivery  between 
community,  hospital,  and  institutional  programs.  The  system  we  audited  still 
focuses  on  hospital  beds  and  clinics.  Having  said  that,  there  is  a  foundation  of 
service  providers  in  Alberta  working  to  improve  service  delivery. 

This  report  accepts  the  view  that  Alberta  should  transform  its  mental  health 
service  delivery  system  to  reflect  the  principles1  outlined  in  the  Provincial 
Mental  Health  Plan.  This  is  not  a  radical  expectation.  Mental  health 
professionals  have  promoted  these  principles  for  decades.  There  is  evidence  that 
the  new  approach  costs  no  more  than  the  splintered,  sometimes  ineffective  care 
now  offered.  Demographic  changes,  workforce  shortages,  and  the  development 
of  innovative  programs  also  affect  how  the  system  should  be  transformed. 

Our  report  recommends  ways  to  improve  Alberta's  mental  health  service 
delivery  in  accordance  with  the  principles  of  the  Provincial  Mental  Health 
Plan.  While  we  examined  only  a  selection  of  mental  health  services,  our 
recommendations  should  apply  to  all  mental  health  fields.  And  while  we  did  our 
work  in  a  regionalized  service  delivery  environment,  these  recommendations 
will  apply  to  whatever  delivery  model  the  new  Alberta  Health  Services 
implements. 

In  1994  Alberta  regionalized  health  service  delivery.  Directly  or  through 
contracts,  the  nine  regional  health  authorities  (RHAs)  have  delivered  publicly 
funded  mental  health  services  since  2003.  So  it  is  not  surprising  that  we 
examined  nine  different  regional  mental  health  service  delivery  systems.  To 
structure  our  mental  health  audit,  we  developed  audit  objectives  and  criteria 


1  These  principles  include  a  focus  on  client  recovery;  a  choice  of  treatment  models;  community-based  services;  the 
integration  of  services  and  supports;  consideration  of  the  social  determinants  of  health  (e.g.  housing,  income,  etc.);  evidence- 
based  services. 
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against  which  to  assess  the  regional  health  authorities'  systems.  We  set  three 
objectives  for  this  audit. 

Our  first  objective  was  to  determine  whether  every  region  provides  a 
functioning  mental  health  continuum  of  care  for  its  clients.  This  does  not  mean 
the  same  services  in  every  location,  but  equitable  service  everywhere  given 
geographic  size  and  population  differences.  We  conclude  that  all  regions 
provide  a  mental  health  continuum,  although  in  all  cases  with  exceptions. 

The  two  big  city  RHAs2  offer  a  complete  range  of  mental  health  programs  but 
experience  higher  demand  for  services  than  they  can  meet  with  their  existing 
systems.  In  the  two  northern  RHAs,  there  are  significant  service  delivery  issues 
based  on  the  rapid  growth  of  communities  like  Grande  Prairie  and 
Fort  McMurray  and  the  inability  of  the  mental  health  programs  to  keep  pace. 
There  is  a  significant  difference  between  services  in  the  cities  and  those  in 
smaller  towns  or  rural  areas.  In  every  RHA  we  found  long  wait  times  for  at  least 
some  services.  Most  RHA  mental  health  divisions  can  improve  coordination 
with  their  contracted  not-for-profit  service  providers. 

Our  second  objective  was  to  determine  whether  RHAs  are  actively 
implementing  the  principles  of  the  Provincial  Mental  Health  Plan.  We 
conclude  that  the  RHAs  are  implementing  those  principles.  They  could  do  so 
faster  and  more  consistently  across  the  province. 

Our  third  objective  was  to  identify  good  practices  in  mental  health.  As  we 
traveled  the  province,  we  saw  many  examples  of  good  practices,  innovative 
initiatives,  and  dedicated  employees.  Every  region  has  established  a  foundation 
for  coordinated  mental  health  care. 

We  make  nine  recommendations  to  improve  Alberta's  mental  health  service 
delivery  in  accordance  with  the  principles  of  the  Provincial  Mental  Health 
Plan.  We  categorize  these  recommendations  into  four  themes. 

The  Ministry  of  Health  and  Wellness  should  develop  standards  for  mental 
health  services.  Section  5.1  defines  standards  as  the  principles,  practices,  and 
examples  to  which  the  mental  health  system  should  conform  and  by  which  the 
system  can  be  judged.  Standards  form  a  critical  foundation  for  the  mental  health 

system. 


2  The  two  big  city  RHAs  are  Capital  (that  includes  Edmonton  and  surrounding  centres)  and  Calgary.  The  term  "medium-sized 
cities"  refers  to  Medicine  Hat,  Lethbridge,  Red  Deer,  Grande  Prairie,  and  Fort  McMurray. 
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Alberta  Health  Services  should  eliminate  the  gaps  in  mental  health  service 
across  the  province.  By  gaps  in  service,  we  mean  a  program  that  either  does  not 
exist  or  has  a  long  wait  time.  Poorly  coordinated  care  also  signifies  a  gap  in 
services,  resulting  in  clients  not  getting  the  care  they  need  or  even  "falling 
between  the  cracks".  Standards  will  define  what  services  should  be  delivered  by 
the  publicly  funded  system.  Alberta  Health  Services  must  deliver  the  programs 
to  satisfy  those  standards. 

Section  5.2  addresses  the  need  to  encourage  mental  health  housing  and  provide 
supportive  living3  programs  across  the  province.  Section  5.3  deals  with  the 
important  issue  of  treatment  for  people  with  concurrent  disorders,  those  with  a 
mental  illness  and  an  addiction  issue.  Section  5.4  encourages  better 
relationships  between  RHAs  and  the  not-for-profit  organizations  that  deliver 
mental  health  services  under  contract.  Section  5.5  deals  with  other  gaps  that  we 
observed:  mental  health  professionals  at  points  of  entry,  coordinated  intake, 
specialized  programs,  and  transition  management  between  hospital  and 
community  care. 

Alberta  Health  Services  and  mental  health  managers  and  workers  can 
coordinate  and  manage  mental  health  services  better.  Better  coordination  should 
lead  to  efficiency  gains  for  the  system.  Section  5.6  discusses  opportunities  to 
coordinate  mental  health  programs,  procedures,  and  information  systems  across 
the  province.  Section  5.7  describes  opportunities  for  managers  and  workers  to 
improve  their  own  community  mental  health  practices  immediately. 

Last,  there  should  be  greater  accountability  for  the  mental  health  service 
delivery  system.  We  view  accountability  in  terms  of  a  cycle,  beginning  with 
planning  an  activity,  delivering  it,  monitoring  operations,  and  regularly 
assessing  the  success  of  operations  with  a  view  to  enhancing  the  service. 
Section  5.8  covers  funding,  planning,  and  reporting  considerations  that  need  to 
improve  for  the  system  to  achieve  the  Provincial  Mental  Health  Plans 
principles  and  be  fully  accountable.  Section  5.9  deals  with  considering  whether 
two  existing  implementation  priorities  of  the  Plan  are  appropriate. 

Appendix  A  summarizes  the  results  of  our  focus  groups  and  surveys.  We  used 
these  methods  to  gather  feedback  about  mental  health  service  delivery  from 
clients,  clients'  families,  physicians,  and  psychologists.  Appendix  B  describes 
our  audit  approach,  including  the  procedures  we  performed  and  the  audit 
criteria  we  used. 


3  In  this  report,  "housing"  means  the  physical  location  where  the  mental  health  client  lives,  whether  it  is  his  own  home,  a 
group  home,  or  an  approved  home.  "Supportive  living"  means  the  mental  health  services  delivered  to  the  client  in  his  housing 
unit. 
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2.  Background 

Until  the  creation  of  RHAs  in  1994,  independent  boards  ran  the  hospitals.  Until 
2003,  hospitals  operated  inpatient  psychiatric  units  and  outpatient  clinics  while 
the  Alberta  Mental  Health  Board  (AMHB)  or  its  predecessors  ran  community- 
based  treatment  programs  as  well  as  the  specialized  mental  health  facilities4.  In 
2003,  the  AMHB's  programs  devolved  to  the  RHAs  who  then  acquired  the 
mandate  to  deliver  integrated  mental  health  care  in  the  province. 

In  April  2004,  the  provincial  government  released  the  Provincial  Mental  Health 
Plan  for  Alberta5.  The  Plan  established  the  principles  for  mental  health  policy 
and  service  delivery.  The  Kirby  Report,  entitled  Out  of  the  Shadows  At  Last6 
(May  2006;  pp.  57  and  58),  summarizes  those  principles:  a  focus  on  client 
recovery;  a  choice  of  treatment  models;  community-based  services;  the 
integration  of  services  and  supports;  consideration  of  the  social  determinants  of 
health  (e.g.  housing,  income,  etc.);  evidence-based  services. 

As  we  complete  our  audit  in  August  2008,  the  Ministry  of  Health  and  Wellness 
is  reorganizing  health  service  delivery  in  Alberta.  The  nine  RHAs  will  become 
one  under  Alberta  Health  Services.  Support  infrastructure  such  as  funding  and 
information  technology  development  at  the  Department  of  Health  and  Wellness 
may  change  as  well. 

We  reported  phase  I  of  our  mental  health  work  in  April  2008.  Our  work 
concluded  that  the  central  entities  (the  Department  and  the  AMHB)  "did  not 
introduce  strong  systems  to  plan,  monitor,  and  report  the  implementation 
priorities"  of  the  Provincial  Mental  Health  Plan.  As  a  result,  it  is  difficult  for 
the  Department  and  the  AMHB  (and  especially  for  anyone  outside  the  mental 
health  system)  "to  determine  whether  the  results  we  now  observe  are  what  were 
originally  intended."  We  made  two  recommendations.  The  first  was  to 
strengthen  the  planning,  monitoring,  reporting,  and  adjusting  systems  to 
implement  the  Plan.  The  second  was  to  ensure  a  sound  accountability 
framework  for  mental  health  in  Alberta,  including  for  the  Plan  itself. 


4  In  this  report,  "facility"  refers  to  the  specialized  mental  health  hospitals  such  as  Alberta  Hospital  Edmonton,  the  Centennial 
Centre  (formerly  Alberta  Hospital  Ponoka) ,  and  the  Claresholm  Care  Centre. 

5  http://www.amhb.ab.ca/Publications/reports/Pages/ProvincialMentalHealthPlan.aspx 

6  http://www. pari. gc.ca/39/l/parlbus/commbus/senate/com-e/soci-e/rep-e/rep02may06-e. htm 
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3.  Mental  health  service  delivery  in  Alberta 

Recovery  is  the  objective  of  the  mental  health  system.  People  with  mental 
illness  want  to  live  a  normal  life  within  the  constraints  of  their  condition.  They 
prefer  to  live  in  their  own  homes,  hold  jobs,  and  interact  with  society  like  other 
people.  As  mental  illness  is  often  chronic,  a  final  cure  may  not  be  possible.  The 
client  may  not  recover  totally  and  permanently  so  the  mental  health  system 
should  support  him  in  living  as  best  he  can. 
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defined;  contains 
three  aspects 


First,  RHA  service 
delivery  system 


Services  delivered 
to  the  client  in  the 
community 


Services  delivered 
in  the  community 
clinic 


Bed-based  support 
for  community 
services 


Example  of 
Calgary's  mental 
health  areas  and 
programs 


Continuum  of  care 

Continuum  of  care  is  a  key  concept  in  mental  health  service  delivery.  The 
Canadian  Council  on  Health  Services  Accreditation  defines  continuum  of  care 
as  "an  integrated  and  seamless  system  of  settings,  services,  service  providers 
and  service  levels  to  meet  the  needs  of  clients  in  defined  populations".  At  a  high 
level,  we  describe  three  aspects  of  Alberta's  continuum  of  care. 

The  first  element  is  the  publicly-funded  RHA  mental  health  service  delivery 
system  that  is  the  subject  of  this  audit.  Services  offered  by  this  system  should  be 
evidence-based.  This  means  that  treatments,  therapies,  and  practices  should  be 
endorsed  by  research  based  on  scientific  method.  Evidence  should  be  used  to 
support  decisions  about  how  best  to  treat  clients  and  patients.  Broadly  speaking, 
this  system  offers  three  types  of  services  to  its  clients: 

•  Mental  health  services  delivered  in  the  community.  In  this  case,  the  service 
goes  to  the  client.  In  Alberta,  the  system  delivers  services  (such  as  crisis 
intervention,  assessment,  and  therapy)  or  supports  (such  as  helping  the 
client  with  job  or  home  hunting,  shopping,  or  socialization). 

•  Mental  health  services  in  a  community  clinic  or  outpatient  setting.  In  this 
case,  the  client  goes  to  the  service. 

•  Bed-based  support  for  community  mental  health  services.  These  beds  are 
located  in  hospitals  and  specialized  mental  health  facilities.  One  hundred 
years  ago,  these  beds  were  at  the  heart  of  the  mental  health  system.  Now, 
those  beds  are  just  as  critical  to  the  system.  However  given  the  focus  on 
recovery,  these  beds  should  support  clients  when  their  illness  requires 
intensive  treatment.  An  admission  to  the  psychiatric  unit  should  promote 
recovery. 

In  Alberta,  the  nine  regional  health  authorities  (RHAs)  deliver  these  services. 
Each  RHA  organizes  its  services  into  areas  and  programs.  As  an  example,  the 
Calgary  Health  Region  defines  the  following  program  areas: 

•  Prevention  and  promotion. 

•  Early  intervention. 
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•  Crisis  intervention. 

•  Acute  inpatient  services. 

•  Basic  treatment  (focused  core  services) .  This  program  area  includes 
Calgary's  community  mental  health  clinics. 

•  Specialized  treatment. 

•  Rehabilitation. 

•  Sustain  and  support. 

Within  these  program  areas,  Calgary  defines  about  50  adult  mental  health 
programs.  RHA  staff  deliver  some  of  these  programs;  organizations  contracted 
by  the  RHA  deliver  the  remainder.  A  variety  of  staff  deliver  these  services;  we 
divide  them  into  three  general  categories: 

•  Mental  health  professionals,  which  includes  therapists,  social  workers, 
nurses  (some  with  psychiatric  specialization),  psychologists,  and 
psychiatrists; 

•  Mental  health  workers,  who  are  non-professionals  often  working  in  outreach 
programs; 

•  Support  and  administration. 

Of  course,  Calgary  provides  a  full  range  of  programs.  Smaller  RHAs  offer 
fewer  programs  but  cover  the  three  types  of  service,  either  by  providing  the 
services  themselves  or  by  arranging  for  services  from  other  regions. 

The  second  element  in  the  continuum  is  the  host  of  mental  health  and  support 
services  offered  by  providers  other  than  the  RHAs.  In  Alberta,  those  providers 
include: 

•  Physicians.  Family  and  general  practitioners  provide  the  first  point  of 
contact  and  treatment  for  many  mental  health  clients.  Psychiatrists  provide 
specialist  services  for  the  seriously  ill. 

•  Not-for-profit  organizations.  Numerous  local,  regional,  and  national 
organizations  like  the  Canadian  Mental  Health  Association,  the 
Schizophrenia  Society,  and  the  Centre  for  Suicide  Prevention  offer  key 
services.  In  some  cases  these  organizations  contract  with  the  RHAs  to 
provide  services. 

•  Other  government  departments,  agencies,  and  entities.  At  the  provincial 
and  federal  levels,  many  entities  play  a  role.  For  example,  police  forces 
often  respond  to  mental  health  crises,  education  systems  often  identify  and 
accommodate  students  with  a  mental  illness,  and  the  housing  ministry  leads 
initiatives  to  provide  low-cost  homes. 

•  For-profit  mental  health  services.  Through  private  practitioners  such  as 
psychologists  or  privately  funded  organizations  such  as  employee 
assistance  programs,  clients  can  access  mental  health  services. 
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The  third  element  in  the  continuum  is  the  coordination  of  these  services.  The 
Provincial  Mental  Health  Plan  talks  about  delivering  the  right  service  to  the 
right  client  at  the  right  place  and  time.  Placing  the  mental  health  client  in  the 
best  program  on  the  continuum  is  critical  to  effective  and  efficient  service.  For 
example,  when  a  mental  health  client  arrives  at  the  hospital  emergency  room 
the  system  should  decide  where  best  to  place  him.  Diversion  from  the  inpatient 
psychiatric  unit  to  a  more  suitable  treatment  program  serves  the  client  and  the 
system  better  than  hospitalization  or  unsupported  discharge  to  the  community. 


Hospital  mental 
health  services 


Mental  health 
clinic  services 


Services  delivered 
in  the  community 


Hospital-based  and  community-based  programs 

The  RHA  mental  health  service  delivery  system  is  involved  directly  as  provider 
or  indirectly  as  funder  for  the  following  programs. 

The  RHAs'  hospitals  provide: 

•  Emergency  rooms,  which  for  many  clients  is  the  first  point  of  contact  with 
the  mental  health  system. 

•  Inpatient  psychiatric  units.  Maintaining  a  patient  on  these  units  is  expensive; 
daily  rates  per  bed  run  from  $500  to  $1,500  per  day  across  the  province. 

•  Inpatient  group  programs.  These  typically  assess  and  train  patients  for  post- 
discharge  life. 

•  Outpatient  group  programs.  The  client  comes  to  the  hospital  to  attend  either 
general  courses  on  self-esteem  and  assertiveness  training  or  specialized 
programs  such  as  early  psychosis  or  eating  disorders. 

The  RHAs  have  established  mental  health  clinics  throughout  their  regions.  In 
most  cases  the  clinic  is  physically  separate  from  a  hospital,  although  David 
Thompson  Health  Region  has  moved  many  of  its  smaller  community  clinics 
into  the  local  hospital.  Clinics  offer: 

•  Intake,  assessment,  and  diagnosis  of  the  client. 

•  Individual  therapies.  There  are  many  ways  to  categorize  this  work.  One  is 
by  frequency  of  visits  to  the  therapist:  single  session,  brief  therapy  (up  to 
five  visits),  short  term,  or  long  term.  Another  way  is  by  type  of  therapy: 
cognitive  behavioural,  hypnosis,  or  dialectic  behavioural. 

•  Group  therapies  and  activities. 

The  RHAs  can  deliver  mental  health  services  to  the  client,  rather  than  have  the 
client  come  to  the  service.  RHAs  offer: 

•  Street  outreach  for  the  homeless. 

•  Mobile  crisis  response  teams  that  go  to  people's  homes. 

•  Assertive  community  treatment  (ACT)  where  the  RHA  aggressively 
provides  services  to  the  most  difficult-to-serve  cases.  These  are  clients  who 
cannot  succeed  without  ongoing  and  intensive  support.  Mental  health 
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professionals  provide  this  service;  they  ensure  the  client  maintains  their  * 

medication  and  help  with  general  living  requirements.  C: 

•    Outreach  services,  which  are  less  intensive  than  ACT,  can  be  performed  by  £ 
less-qualified  individuals  than  ACT.  Outreach  staff  assist  the  client  with 

appointments,  paperwork,  and  day-to-day  chores  such  as  shopping  or  home  ^ 
maintenance. 

Concurrent  disorders  C 

AADAC  and              People  with  concurrent  disorders  have  a  mental  illness  combined  with  an  C 

re^nsiSmy  for          addiction  problem.  This  is  very  common;  study  after  study  shows  that  roughly  q 

concurrent  half  of  those  with  a  mental  illness  have  an  addiction  problem  and  vice  versa.  r 
disorders                  Alberta,  unlike  most  provincial  jurisdictions  in  Canada,  separates  the  mental 

health  and  addictions  mandates.  The  Alberta  Alcohol  and  Drug  Abuse  ^ 

Commission  (AADAC),  an  Alberta  government  agency,  has  the  lead  in  € 

formulating  concurrent  disorder  policy  in  the  province.  C 

€ 

Ideally,  concurrent         The  mental  health  problems  of  people  with  concurrent  disorders  often  (3 

treatment  should  u  .        .  ul  ,    .  ^  11  1 

be  simultaneous           exacerbate  their  addiction  problems,  and  vice  versa.  For  example,  a  depressed  _ 

person  may  take  street  drugs  to  combat  his  depression;  these  drugs  ultimately  r 

make  him  more  depressed.  Mental  health  and  addiction  treatments  should 

ideally  take  place  simultaneously  rather  than  sequentially. 

Aboriginal  mental  health  C 

Alberta  has  an             Following  from  the  Provincial  Mental  Health  Plan,  the  Alberta  Mental  Health  _ 

framework^             Board  developed  Aboriginal  Mental  Health:  A  Framework  for  Alberta7.  This  q 

document  contrasts  traditional  aboriginal  medicine  and  healing  with  modern 
medical  science  and  emphasizes  a  holistic  approach  to  mental  health.  Other 

Framework  initiatives  include  hiring  aboriginal  staff,  offering  cultural  C 

sensitivity  training  to  non-aboriginal  mental  health  workers,  and  working  C 

collaboratively  with  other  service  providers.  q 

Suicide  ^ 

5  lber()a  p3S  the  •  Suicide  is  a  tragedy  and  a  devastating  scenario  for  surviving  family  and  friends. 

Strategy       Wn        ^rom  me  Provincial  Mental  Health  Plan  flows  A  Call  to  Action:  the  Alberta  ^ 

Suicide  Prevention  Strategy3.  It  emphasizes  prevention  and  promotion  € 

programs.  RHAs  can  offer  these  programs  in  the  community,  to  targeted  C 

groups,  or  on-line.  RHAs  also  offer  post-vention  programs  after  traumatic  - 
incidents  like  suicide  take  place.  When  grief  counsellors  attend  a  disaster 

scenario,  this  is  post-vention  in  action.  ' 

i 

7  http://www.amhb.ab.ca/Initiatives/aboriginal/Documents/Aboriginal_%20%20Framework.pdf  f 

8  http://www.amhb.ab.ca/Initiatives/suicidePrevention/Documents/A%20call%20to%20action.pdf 
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Many  housing 
options 


Housing  and  supportive  living  programs 

Mental  health  clients  may  need  out-of-hospital  housing.  RHAs  rely  on  not-for- 
profit  organizations,  municipalities,  and  for-profit  owners  to  develop  and 
maintain  housing  units.  Mental  health  services  for  residents  of  these  housing 
units  are  usually  provided  by  the  RHA  or  not-for-profit  organizations. 

•  Crisis  beds  house  a  client  short-term  (usually  no  more  than  five  days)  until 
he  gets  over  the  crisis.  These  are  not  hospital  beds  but  do  offer  24  hour, 
seven  days  a  week  oversight. 

•  Transition  beds  serve  clients  who  have  stabilized  in  hospital  but  need 
temporary  help  before  returning  to  independent  living. 

•  Group  homes  offer  long-term  housing.  Seriously  and  chronically  ill  clients 
can  live  in  these  placements  for  years.  Broadly  speaking,  group  homes  offer 
either  24  hour,  seven  days  a  week  care  or  a  more  limited  shift  of  care  (for 
example,  four  or  eight  hours  per  day). 

•  Approved  homes  are  private  homes  that  take  in  a  client.  Typically,  these 
clients  get  little  to-the-door  service  and  visit  the  clinic  or  hospital  for 
treatment. 

•  For  clients  seeking  independent  accommodations,  either  individual  or 
shared,  the  RHA  may  assist  with  the  search,  arrange  for  supports  (e.g. 
financial  assistance) ,  or  provide  supportive  living  services  such  as  outreach 
or  ACT  programs. 


RHAs  involved  in 
housing  in  four 

ways 


RHAs  participate  in  the  housing  and  supportive  living  component  by 
encouraging  the  development  of  mental  health  beds,  placing  their  clients  in 
these  settings,  partially  funding  the  organizations  that  operate  these  homes,  or 
offering  supportive  living  services  in-home  to  the  residents. 


Mental  health 
divisions  vary  in 
size  across  Alberta 


Organizational  structure 

Mental  Health  is  a  sizeable  division9  within  each  RHA.  RHA  mental  health 
expenditures  range  between  $5  million  and  $240  million;  in  total,  expenditures 
are  about  $475  million  per  year.  This  represents  between  about  2.5%  to  9.7%  of 
RHAs'  operating  budgets.  RHAs  always  operated  their  hospital-based  mental 
health  services.  On  devolution  of  services  from  the  Alberta  Mental  Health 
Board  to  the  RHAs  in  2003,  the  RHAs  acquired  a  significant  community-based 
service  component  plus  the  operation  of  the  specialized  facilities. 


Some  RHAs  have  as  few  as  60  full-time  equivalent  staff  in  their  mental  health 
divisions,  while  the  big  city  mental  health  divisions  have  as  many  as  1,500  full- 
time  equivalents  each.  The  small  RHA  mental  health  divisions  put  their 
resources  into  front  line  staff;  they  can  afford  few  managers,  supervisors,  and 


We  will  use  the  term  "division"  consistently  in  this  document;  in  practice,  each  RHA  uses  its  own  terminology. 
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support  staff.  As  a  rule,  the  larger  the  RHA,  the  greater  the  specialization  in 
sub-divisions  and  programs.  Larger  urban  regions  also  have  a  deeper  hierarchy 
of  directors,  managers,  and  support  functions. 

1 

Information  systems  g 

Paper  files  contain  All  RHAs  keep  extensive  records  about  their  clients  and  patients.  They  are  a 
freatmen"  medical  necessity  and  a  professional  requirement.  Both  hospitals  and  clinics 

maintain  extensive  paper  files.  While  electronic  systems  capture  more  and  more  1 

information,  the  majority  of  detailed  treatment  information  still  resides  in  paper  4 

form.  (g 

(i 

Hospital  electronic        ^11  hospitals  and  mental  health  clinics  use  electronic  information  systems.  In 

systems110"               hospitals,  the  systems  are  primarily  designed  for  medical  as  opposed  to  mental  ^ 

health  patients,  but  psychiatric  units  anticipate  the  introduction  of  mental  1 

health-specific  modules  for  their  computerized  information  systems  in  the  next  | 

few  years.  Some  hospitals  also  use  a  second  computerized  information  system  <g 

to  collect  and  analyze  bed  utilization  data.  ^ 

Clinic  electronic  jhe  computerized  information  systems  used  in  the  clinics  are  custom-built  for 

systems '  "               mental  health.  The  most  common  system  is  ARMHIS,  a  legacy  system  1 

originally  developed  by  the  AMHB.  In  all  cases  but  Lethbridge,  the  clinic's  @ 

information  system  is  different  from  the  hospital's.  (g 

4.  Audit  conclusions  ! 

We  have  concluded  against  the  three  audit  objectives.  ( | 

Objective  1  ' 

Continuum  of  care        ^11  regions  should  provide  a  functioning  mental  health  continuum  of  care  for  1 

each  region               tneir  Clients-  ln  particular,  every  RHA  should  deliver  services  in  the  community,  f 

services  in  clinics,  and  bed-based  support.  The  same  continuum  need  not  exist  ,  @ 

in  every  RHA.  RHAs  select  from  a  variety  of  programs  to  construct  their  ( « 
service  delivery  model.  For  example,  small  RHAs  cannot  offer  specialized 
programs  and  not  every  hospital  can  have  a  psychiatric  unit.  In  these  cases,  the 

RHA  arranges  access  to  these  services  from  larger  centres.  ' 

(| 

RHAs  cover  the  ^         All  RHAs  have  a  mental  health  system  that  offers  the  three  types  of  service  and  <f 

have  exceptions           coordinates  to  some  degree  with  other  service  providers.  We  conclude  each  «. 

region  offers  a  continuum  of  care,  although  in  all  cases  with  exceptions. 

Summary  of              Broadly  speaking,  smaller  RHAs  have  gaps  in  their  services,  especially  in  1  = 

delivering  services  in  the  community.  The  two  big  city  RHAs  offer  a  full  array  '1 

I 

 .   <5 
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The  principles  of 
the  Provincial 
Mental  Health 
Plan 


Uneven  pursuit  of 
PMHP  principles 


Examples  of  good 
practices  found 


of  services  but  experience  higher  demand  than  they  can  meet  with  their  existing 
systems.  The  two  northern  RHAs10  experience  significant  service  delivery 
challenges  based  on  the  rapid  growth  of  communities  and  the  inability  of  the 
mental  health  programs  to  keep  pace.  There  is  a  significant  difference  between 
services  in  the  cities  and  those  in  smaller  towns  or  rural  areas.  In  every  RHA  we 
found  long  wait  times  for  at  least  some  services.  Most  RHA  mental  health 
divisions  can  improve  coordination  with  their  contracted  not-for-profit  service 
delivery  organizations. 

Objective  2 

The  RHAs  should  be  actively  implementing  the  principles  of  mental  health  care 
expressed  in  the  Provincial  Mental  Health  Plan.  The  Plan  does  not  specifically 
state  those  principles  in  one  place  but  they  are  clear  to  those  familiar  with  the 
document  and  with  the  evolution  of  mental  health  services  in  recent  decades. 

RHA  mental  health  staff,  especially  at  the  management  level,  are  familiar  with 
the  Provincial  Mental  Health  P7a/?and  acquainted  with  its  principles. 

We  conclude  that  RHAs  are  pursuing  those  Provincial  Mental  Health  Plan 
principles,  although  unevenly.  For  example,  RHAs  are  at  different  points  in 
delivering  Plan  initiatives  such  as  filling  service  gaps,  providing  housing  needs, 
and  developing  aboriginal  programs.  Our  focus  groups  confirm  that  most 
service  users  did  not  notice  a  significant  change  in  service  delivery  since  the 
Plan  was  released  in  2004.  In  the  last  four  years  many  RHAs  have  filled  gaps  in 
their  programs,  but  they  have  not  transformed  their  mental  health  service 
delivery  to  conform  with  the  Provincial  Mental  Health  Plans  vision.  Regional 
executives  and  managers  will  need  to  be  bolder  in  their  planning  and  execution 
to  transform  their  mental  health  service  delivery. 

Objective  3 

We  thought  we  should  be  able  to  identify  examples  of  good  practice  in  every 
RHA  that  we  visited,  and  we  did.  Not  every  good  practice  can  be  replicated 
through  the  province,  nor  is  every  good  practice  we  highlight  unique  to  a 
particular  RHA.  But  RHAs  have  recognized  opportunities,  implemented 
solutions,  and  benefitted  from  the  improvement.  We  have  included  examples 
throughout  our  report. 


Northern  Lights  Health  Region  contains  Fort  McMurray;  Peace  Country  Health  includes  Grande  Prairie. 
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5.  Recommendations 

5.1  Mental  health  standards 
Recommendation  No.  16 

We  recommend  that  the  Department  of  Health  and  Wellness  and  Alberta 
Health  Services  create  provincial  standards  for  mental  health  services  in 
Alberta. 


Definition  of 
standards 


Other  jurisdictions 
have  mental  health 
standards 


Background 

Standards  are  the  principles,  practices,  and  examples  to  which  the  mental  health 
system  should  conform  and  by  which  the  system  can  be  judged.  Standards 
promote  consistent  and  adequate  levels  of  care  while  clarifying  expectations  for 
clients,  stakeholders,  and  providers. 

Standards  for  mental  health  care  are  not  uncommon.  For  example,  jurisdictions 
such  as  England  and  Australia  have  mental  health  standards;  in  Canada,  Nova 
Scotia  has  mental  health  standards. 


Standards  include 
guiding  principles 


Standards  define 
service  areas 


Standards  support 
accountability 


Standards  typically  contain  a  statement  of  the  importance  of  mental  health. 
They  go  on  to  cover  the  guiding  principles  for  the  discipline.  In  mental  health, 
standards  often  endorse  concepts  such  as  client  focus,  client  choice, 
accountability,  and  more.  The  Provincial  Mental  Health  Plan  has  already 
endorsed  many  of  these  principles. 

Standards  usually  organize  mental  health  services  into  areas  or  issues.  The 
British  areas  include  mental  health  promotion,  primary  care,  access  to  services, 
and  others;  they  cover  the  continuum  of  care.  Areas  and  issues  begin  at  a 
general  level,  but  they  break  down  into  detailed  expectations.  The  Australian 
model  calls  the  details  "criteria".  Here  is  an  Australian  example: 

•  Standard  11  is  "Delivery  of  Care". 

•  Standard  11.4  is  "Treatment  and  Support".  There  are  13  criteria  under  this 
standard. 

•  Criterion  1 1 .4.9  says,  "There  is  a  current  individual  care  plan  for  each 
consumer,  which  is  constructed  and  regularly  reviewed  with  the  consumer 
and,  with  the  consumer's  informed  consent,  their  carers  and  is  available  to 
them." 

•  There  are  "Notes  and  Examples"  under  1 1.4.9  to  clarify  further. 

Standards  usually  contain  a  section  on  accountability,  performance  measures, 
and  reporting  against  the  standards. 
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No  mental  health 
standards  to 
ensure  consistency 
in  Alberta 


Our  audit  findings 

There  are  no  adult  mental  health  standards  in  Alberta.  The  Provincial  Mental 
Health  Plan  endorses  many  of  the  principles  that  standards  would  address  but 
the  Plan  is  not  a  set  of  standards.  The  standards  should  ensure  that  all  regions  of 
the  province  receive  adequate  mental  health  care.  We  were  told  in  our  Phase  I 
work  that  the  second  iteration  of  the  Plan  might  contain  an  initiative  to  create 
mental  health  standards. 


Two  types  of 
standards: 
policy/outcomes 
and  operational 


Standards  should 
define  system's 
clientele 


Two  organizations  need  to  coordinate  Alberta's  standard  setting.  The 
Department  of  Health  and  Wellness  is  responsible  for  standards  that  touch  on 
policy  and  expected  outcomes.  For  example,  recommendation  No.  17  deals  with 
housing,  where  the  Department  would  need  to  set  the  policy  standard  and  define 
outcomes  for  the  service.  On  the  other  hand,  Alberta  Health  Services  is 
responsible  for  operational  standards.  Section  5.7  deals  with  operational  matters 
that  should  be  covered  by  a  standard  developed  by  AHS. 

During  our  work  we  identified  many  cases  where  individual  RHAs  held 
different  views  of  their  mandates.  Three  examples  demonstrate  how  standards 
will  add  clarity  and  consistency  to  the  system. 

Standards  should  define  who  the  system's  clients  are,  who  will  be  served  by  the 
publicly  funded  system.  There  are  many  mental  illnesses  and  many  levels  of 
severity.  Many  mental  health  workers,  managers,  and  executives  believe  the 
RHA  system  should  focus  on  the  serious  and  persistent  cases.  Other  mental 
health  resources  in  both  the  public  and  private  health  care  systems  could  deal 
with  less  serious  cases.  Standards  should  address  this  issue. 


RHAs  not 
consistent  in 
addressing  the 
housing  issue 


Standards  should 

address 

accountability 


Both  the  Kirby  Report  and  the  Provincial  Mental  Health  Plan  advocate  that  the 
publicly  funded  mental  health  system  be  involved  in  providing  the  determinants 
of  health  to  clients.  Housing  is  a  key  determinant  in  the  recovery  of  mental 
health  clients.  However,  we  observed  a  wide  variation  in  how  involved  the  nine 
RHAs  felt  they  should  be.  The  David  Thompson  Health  Region  has  taken  a 
progressive  stance  by  assigning  a  manager  to  this  area  and  actively  promoting 
housing  solutions  in  the  region.  However  regions  such  as  East  Central  have  no 
formal  systems  to  act  on  behalf  of  its  clients.  Provincial  standards  should  define 
the  expectation  in  this  critical  matter. 

Standards  usually  address  the  issue  of  accountability.  In  section  5.8  we  discuss 
how  accountability  for  the  mental  health  system  can  improve,  but  provincial 
standards  should  define  the  expectation  for  and  even  some  of  the  mechanics  of 
accountability. 
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Implications  and  risks  if  recommendation  not  implemented 

Without  expectations  defined  in  standards,  the  mental  health  system  may 
deliver  an  inequitable  level  of  services  across  the  province.  Without  standards 
to  establish  a  foundation,  the  mental  health  service  delivery  system  will  not 
achieve  accountability  for  its  activities  and  outcomes. 

5.2  Housing  and  supportive  living 
Recommendation  No.  17 

We  recommend  that  Alberta  Health  Services  encourage  mental  health 
housing  development  and  provide  supportive  living  programs  so  mental 
health  clients  can  recover  in  the  community. 


Housing  strongly 

influences 

recovery 


Background 

Overwhelmingly,  people  with  a  mental  illness  want  to  live  at  home  in  the 
community.  One  of  the  strongest  positive  influences  on  their  recovery  is  safe, 
secure,  affordable  housing.  However,  a  severe  bout  of  mental  illness  may  cause 
these  people  to  lose  their  housing.  When  this  happens  not  only  will  quality  of 
life  deteriorate,  but  they  may  begin  a  cycle  of  crises  leading  to  repeated  hospital 
visits. 


Hospitals  are  an 
expensive  way  to 
house  clients 


Alberta 
government 
housing  partners 


System  needs  to 
support  clients  in 
the  community 


Mental  health  literature  recognizes  that  keeping  patients  in  hospitals  beyond  the 
period  required  to  stabilize  them  can  be  counter-productive.  Patients  can 
become  reliant  on  hospital  routine  and  recovery  may  be  slowed  or  reversed. 
Lack  of  adequate  housing  for  the  stabilized  patient  contributes  heavily  to 
hospital  stays  that  are  longer  than  necessary.  Hospitals  are  an  expensive  place  to 
house  clients;  in  Alberta,  inpatient  beds  in  psychiatric  units  cost  between  $500 
and  $1,500  per  day.  It  can  be  economically  beneficial  to  find  patients 
appropriate  housing  in  the  community. 

As  the  Provincial  Mental  Health  Plan  notes,  housing  for  people  with  a  mental 
illness  is  an  inter-ministerial  priority.  In  Alberta,  much  of  the  bricks-and-mortar 
housing  mandate  belongs  to  the  Ministries  of: 

•  Housing  and  Urban  Affairs  who  provide  capital  funding  for  low  income 
housing; 

•  Seniors  and  Community  Supports  who  also  provide  capital  funding  and 
inspect  certain  types  of  group  homes. 

De-institutionalization  has  been  the  goal  of  the  mental  health  care  system  for 
decades.  The  development  of  medications  in  the  1950s  empowered  the  system 
to  release  patients  into  the  community.  These  patients  are  not  necessarily  cured; 
they  are  stable  but  need  support.  To  succeed  with  de-institutionalization,  the 
mental  health  system  needs  to  deliver  services  in  the  community  to  keep  the 
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clients  well  and  intercede  when  things  go  poorly.  Supportive  living  programs 
such  as  outreach  and  assertive  community  treatment  (ACT)  address  the  in-home 
needs  of  severely  ill  clients. 


Shortage  of  safe, 
affordable  mental 
health  housing 
units 


Our  audit  findings 

RHAs  have  a  shortage  of  safe,  affordable  housing  for  people  with  a  mental 
illness.  The  RHAs  do  not  systematically  track  the  number  of  their  mental  health 
clients  who  need  housing  placements  across  the  province.  However  both  big 
cities  and  smaller  centres  feel  the  housing  pressure.  For  example  when  we 
visited  Camrose,  32  residents  of  an  inner  city  hotel,  most  of  whom  were  mental 
health  clients,  were  about  to  lose  their  housing.  For  a  city  of  17,000,  this  would 
be  a  mental  health  housing  crisis.  In  Calgary,  mental  health  managers  estimate 
that  at  least  1,500  people  with  mental  illnesses  need  adequate  housing. 


Issues  with 

supportive 

housing 

Lack  of  mandate 

Limited  supply 
and  demand 
information 


Limited  systems  to 

encourage 

developers 


Mental  health 
housing  wrapped 
into  larger  housing 
initiatives 


Limited 
monitoring  of 
clients'  housing 


Most  RHAs  provide  limited  support  for  mental  health  housing  in  their  regions. 
The  major  issues  include: 

•  The  lack  of  a  clear  and  consistent  mandate,  as  we  mentioned  in  our  first 
recommendation. 

•  A  limited  understanding  of  supply  and  demand  for  mental  health  housing. 
We  expected  RHAs  to  calculate  the  demand  for  their  own  clients  and 
determine  supply  through  contacts  with  their  partners  and  other  service 
providers.  However  RHAs  do  not  have  systems  to  calculate  these  factors  or 
the  shortfall  for  housing  in  their  region. 

•  Limited  systems  to  encourage  the  development  of  mental  health  housing. 
Individual  mental  health  workers  may  take  the  initiative  to  assist  their 
clients  and  RHA  staff  sit  on  low-income  housing  committees  in  their 
communities.  Otherwise  client  housing  is  the  responsibility  of  the  client, 
his  family,  or  other  social  support  organizations.  Service  users  voiced  this 
frustration  during  our  focus  groups. 

•  In  the  cities,  mental  health  housing  being  subsumed  by  other  housing 
initiatives.  For  example,  the  mental  health  division  often  participates  in 
broad  housing  initiatives  such  as  eliminating  homelessness  or  providing 
low-cost  housing  to  low-income  families  and  individuals.  People  with  a 
mental  illness  are  a  subset  of  the  homeless  or  the  low-income,  so 
participation  by  the  divisions  is  understandable.  However,  mental  health 
divisions  cannot  expect  these  broader  initiatives  to  address  the  needs  of 
their  clients.  The  divisions  themselves  should  act  directly  on  their  clients' 
behalf. 

•  Limited  monitoring  of  housing.  RHAs  vary  in  ensuring  their  clients' 
housing  is  safe,  secure,  and  provides  adequate  services  to  residents.  Most 
RHAs  limit  their  involvement  to  informal  monitoring  when  mental  health 
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staff  visit  clients.  Some  RHAs  do  not  formally  inspect  housing  units  when 
they  renew  contracts  with  their  operators. 


on  the  unit  RHA.  A  severely  ill  client  with  housing  issues  requires  more  frequent  and  more 

because  they  have         prolonged  visits  to  hospital  psychiatric  units.  Many  long-stay  patients  remain  in 

no  housing                hospital  because  they  have  no  acceptable  housing  option  on  release.  For  * 

example,  at  the  time  of  our  audit  visit  in  Calgary  an  inpatient  marked  his  second  C 

anniversary  on  one  of  the  city's  psychiatric  units.  We  also  saw  stays  of  more  C 

than  a  year  in  Edmonton  psychiatric  units.  r 

su^orfivVhvin  s^ort^a^  °^ outreacn  and  assertive  community  treatment  programs  affects 

programs6  IVin§          the  RHAs  capacity  to  encourage  the  development  of  mental  health  housing.  ^ 

Developers  and  housing  partners  told  us  they  could  provide  low-cost  housing  C 

units  if  someone  would  support  the  residents'  mental  health  needs.  C 

Unfortunately  many  RHAs  cannot  make  that  commitment  so  the  housing  units  q 
go  to  other  residents. 

RHAs  can  act             RHAs  do  not  buy,  build,  or  lease  housing  spaces  and  we  do  not  advocate  they  ^ 

do.  However,  RHAs  that  proactively  promote  housing  initiatives  in  the  C 
community  and  deliver  supportive  living  programs  improve  their  clients'  C 
quality  of  life.  They  also  manage  costs  by  providing  structured  services  rather  (- 
than  relying  on  unplanned  interventions.  We  recognize  the  Department  of  ^ 
Health  and  Wellness  plays  a  role  by  promoting  mental  health  concerns  on  cross- 
ministry  housing  initiatives.  But  to  address  the  housing  gap  effectively  and  ^ 
immediately,  Alberta  Health  Services  (AHS)  should  act  in  each  region.  C 

C 

Gaps  in  outreach          A\\  RHAs  offer  outreach  services  but  only  five  offer  ACT.  Even  where  n 

and  ACT                                           ,            ,           .      „     ,  v 

programs                 programs  exist,  there  can  be  wait  lists  for  the  service.  For  example,  Calgary's  ^ 

ACT  program  has  45  people  waiting  for  the  service.  Clients  with  severe 

illnesses  populate  these  programs  and  without  at-home  services  run  the  risk  of  " 

multiple  hospital  visits.  Literature  suggests  outreach  and  ACT  programs  can  be  % 

as  expensive  as  cyclical  hospitalizations,  but  evidence-based  review  also  shows  (5 

a  better  quality  of  life  for  the  client.  Our  focus  groups  confirmed  their  <- 

appreciation  for  this  form  of  treatment.  ^ 

Cost-effective             Kentwood  House  in  Red  Deer  provides  24  hour,  seven  days  a  week  care  for  25  ^ 

in_home                  clients.  A  private  party  owns  Kentwood;  the  RHA  provides  services  to  the  G 

residents.  The  RHA's  cost  to  maintain  clients  at  Kentwood  is  no  greater  than  to  C 

house  them  at  the  Centennial  Centre  where  many  of  them  came  from.  <j 

Kentwood  and  other  David  Thompson  supportive  living  programs  demonstrate  - 
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AHS  can 
encourage 
development  of 
housing  units 


AHS  can  fund 
operating  costs 


AHS  can  help 
clients  find 
housing 


AHS  can  monitor 
safety  and  security 


Good  practice 


that  an  RHA's  commitment  to  in-home  support  encourages  partners  to  invest  in 
developing  housing  projects. 

AHS  can  encourage  the  development  of  housing  for  people  with  a  mental 
illness.  There  is  a  need  for  a  range  of  housing,  from  group  homes  to  shared 
accommodations  to  individual  apartments.  Not-for-profit  organizations  develop 
many  of  these  housing  opportunities.  For  example,  the  Canadian  Mental  Health 
Association  (CMHA)  provides  housing  in  many  Alberta  cities.  But  AHS  can 
also  encourage  private  developers  who  have  never  considered  the  mental  health 
housing  market  as  an  option  for  their  development. 

AHS  can  fund  not-for-profit  housing  providers  for  a  portion  of  their  operating 
costs.  Currently  many  RHAs  contract  with  the  CMHA  to  fund  at  least  some  of 
the  cost  to  support  clients.  For  example,  Peace  Country  Health  funds  the 
CMHA  for  providing  services  in  a  72  bed  unit  in  Grande  Prairie.  As  the  CMHA 
and  other  not-for-profit  organizations  use  volunteers  to  keep  costs  down,  the 
RHA  receives  good  return  for  its  funding. 

AHS  can  help  clients  locate  suitable  housing  by  coordinating  with  partners.  For 
example,  Lethbridge  operates  a  placement  committee  that  includes  housing 
providers  such  as  the  CMHA  and  the  Southern  Alberta  Self-Help  Association. 
Working  with  this  committee,  the  RHA  arranges  housing,  often  achieving  its 
goal  to  mix  mental  health  clients  in  housing  situations  with  people  who  do  not 
have  a  mental  illness. 

AHS  can  also  monitor  the  safety  and  security  of  the  housing  units  in  which  its 
clients  live.  One  RHA  has  tailored  the  newest  Department  of  Seniors  and 
Community  Supports  housing  standards  to  mental  health  housing  situations  and 
is  considering  how  to  apply  them. 

The  David  Thompson  Health  Region  (DTHR)  assigned  a  manager  to  develop 
housing  alternatives.  He  seeks  partners  who  provide  the  bricks  and  mortar.  To 
cover  capital  costs,  the  developers  can  access  Alberta  government  grants  from 
Seniors  and  Community  Supports.  DTHR  sometimes  provides  funding  for 
operations  at  these  houses  or  its  own  staff  to  look  after  residents.  They  have  had 
success  moving  30-year  residents  of  Centennial  Centre  and  other  long-term 
patients  into  less  expensive,  non-institutional  group  homes  and  bachelor  suite 
residences.  DTHR  eliminated  its  wait  lists  for  all  accommodation  types  except 
chronic  clients  requiring  24  hour,  seven  days  a  week  care. 
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Implications  and  risks  if  recommendation  not  implemented 

Without  housing  and  supportive  living  programs  in  place,  the  quality  of  life  for  £ 

mental  health  clients  may  deteriorate.  They  may  experience  more  frequent  C 
crises  as  well  as  more  frequent  and  longer  visits  to  the  hospital.  The  RHA's 

hospital-based  services  may  be  consumed  by  clients  who  could  remain  in  the  ^ 
community  with  adequate  housing  and  supportive  living. 

5.3  Clients  with  concurrent  disorders  C 

Recommendation  No.  18  C 

We  recommend  that  Alberta  Health  Services  strengthen  integrated  ^ 

treatment  for  clients  with  severe  concurrent  disorders  (mental  health  issues  ^ 
combined  with  addiction  issues). 

C 

Background  C 

The  Provincial  Mental  Health  Plan  assigns  the  lead  for  concurrent  disorders  to  C 

the  Alberta  Alcohol  and  Drug  Abuse  Commission  (AADAC) .  We  did  not  audit  @ 

AADAC  in  this  engagement.  ^ 

Concurrent  disorders  are  well  documented  in  the  western  world.  Roughly  half 

the  mental  health  clients  will  have  an  addiction  issue.  At  the  same  time,  roughly  C 

half  the  addiction  clients  who  seek  assistance  will  have  a  mental  health  C 

problem.  C 

Our  audit  findings 

Sared  iS  ^ '              During  our  audit,  we  saw  examples  of  initiatives  between  AADAC  and  the  *~ 

RHAs'  mental  health  services.  For  example,  in  Lethbridge  AADAC  co-leads  ^ 

group  outpatient  programs  and  in  eight  RHAs  offers  some  level  of  shared  C 

training  in  addictions.  As  well,  AADAC  and  the  RHAs  have  developed  memos  (i 

of  understanding  to  share  client  information,  when  the  client  authorizes  the  q 
sharing.  However  this  recommendation  focuses  on  integrated  treatment  for 
individual  clients. 

<3 

cases  handledT           *n  ^e  ^aSt'  an  a(^ct*on  Pr°blem  often  excluded  a  client  from  receiving  mental  <§ 

an  individual  Y          health  services.  The  mental  health  service  provider  would  not  treat  the  client  fj 

therapist  or  until  the  addiction  was  under  control.  At  the  same  time,  untreated  mental  illness  ^ 
counsellor                was  an  exclusion  for  addictions  treatment.  So  in  the  past,  clients  with 

concurrent  disorders  could  fall  between  the  cracks.  This  is  not  the  situation  any 

more.  The  reality  now  is  that  the  therapist  (whether  AADAC  or  mental  health)  ^ 

has  to  deal  with  both  the  mental  health  and  addiction  problems  at  one  time,  as  5 

best  they  can.  This  is  part  of  the  reason  that  Calgary  renamed  its  branch  Mental  r 

Health  and  Addictions.  It  recognizes  a  daily  reality.  g 

i 
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Some  severe 
clients  require 
integrated  care 


Little  evidence 
that  integrated 
care  takes  place 


Good  practice 


RHAs  rely  heavily 
on  not-for-profit 
services 


However,  some  proportion  of  clients  with  concurrent  disorders  will  have 
serious  enough  mental  health  issues  combined  with  serious  enough  addiction 
problems  to  require  integrated  care.  These  clients  should  see  both  an  addictions 
counsellor  and  a  mental  health  therapist  at  the  same  time.11  Each  provider 
possesses  a  skill  set  necessary  for  this  type  of  client  and  the  two  should  confer 
on  the  case  regularly. 

In  our  file  reviews,  we  specifically  looked  for  cases  of  integrated  care.  While 
we  did  not  exclusively  sample  clients  and  patients  with  concurrent  disorders, 
given  their  prevalence  there  should  have  been  some.  We  found  very  little 
beyond  a  note  in  the  file  that  read,  "Referred  to  AADAC".  There  was  no 
indication  that  the  referral  had  been  made  or  whether  the  client  attended 
AADAC.  We  enquired  of  the  mental  health  staff  and  in  most  RHAs  they  told  us 
there  was  effectively  no  integrated  care  for  clients  with  concurrent  disorders. 
While  we  only  audited  the  RHA  side  in  this  audit,  if  one  of  the  partners  does 
not  participate,  integrated  care  cannot  be  happening. 

In  Lethbridge,  Medicine  Hat,  and  Camrose,  we  learned  that  integrated 
concurrent  care  can  happen.  The  general  rule  seems  to  be  that  integrated  care 
develops  where  mental  health  services  and  AADAC  are  co-located.  In  these 
three  cities,  the  respective  offices  are  either  side-by-side  in  the  Provincial 
Building  or  just  around  the  corner  from  each  other.  Therapists  can  walk  their 
clients  to  the  AADAC  counsellor  and  vice  versa.  Where  physical  distance 
separates  the  services,  integration  rarely  happens. 

Implications  and  risks  if  recommendation  not  implemented 

Without  integrated  care,  clients  with  serious  concurrent  disorders  may  not 
receive  the  treatment  needed  to  recover. 

5.4  Relationships  with  not-for-profit  organizations 
Recommendation 

We  recommend  that  Alberta  Health  Services  improve  relationships  with 
not-for-profit  organizations  to  provide  better  coordinated  service  delivery. 

Background 

Mental  health  service  delivery  relies  heavily  on  not-for-profit  organizations  that 
receive  RHA  funding.  In  various  regions,  the  not-for-profits  provide: 

•  Hospital  services,  therapy  in  clinics,  and  crisis  services; 

•  Services  related  to  the  determinants  of  mental  health  such  as  housing, 
supportive  living,  and  clubhouses; 


11  In  most  cases,  this  means  an  RHA  mental  health  therapist  and  an  AADAC  counselor.  Calgary  has  established  its  own 
Addictions  Centre  and  can  provide  both  skill  sets  to  clients  in  the  program. 
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Advocacy  on  behalf  of  people  with  a  mental  illness. 


Not-for-profits 
uncomfortable 
with  RHA  outlook 


Our  audit  findings 

In  interviews,  not-for-profit  mental  health  service  providers  consistently 
expressed  two  concerns  with  their  relationships  with  the  RHAs.  First,  over  time 
RHAs  expect  more  and  more  services  from  the  not-for-profits  while 
maintaining  funding  at  historic  levels.  These  expectations  include  more  detailed 
planning  and  reporting  of  activities  and  results  to  satisfy  government-style 
accountability.  Second,  not-for-profits  feel  the  RHAs  treat  them  as  contractors 
rather  than  partners  and  do  not  respect  their  contribution  to  the  continuum  of 
care  for  clients. 


RHAs  need  to 
ensure  cost- 
effectiveness  of 
services 


From  the  RHA  point-of-view,  not-for-profits  that  work  under  contract  receive 
public  money  and  need  to  be  as  accountable  as  the  RHA  itself.  Given  the 
contractual  and  funding  relationships  in  place,  the  RHAs  feel  they  need  to 
ensure  quality  outcomes  for  outsourced  services. 


AHS  needs  to 
reconcile  these 
positions 


These  two  positions  can  and  should  be  reconciled.  The  province  cannot  deliver 
the  continuum  of  care  for  mental  health  clients  without  not-for-profit 
organizations.  As  well,  the  RHAs  get  good  value-for-money  due  to  the 
volunteer  element  in  not-for-profits.  The  not-for-profits  need  to  understand  the 
financial  and  accountability  responsibilities  of  the  RHAs.  Alberta  Health 
Services  should  be  proactive  in  improving  these  relationships.  Following  are 
examples  of  how  relationship  issues  can  affect  mental  health  services. 


Housing  issues  in 
Grande  Prairie 


Suicide  prevention 
programs 


Peace  Country  Health 

In  Grande  Prairie,  the  Canadian  Mental  Health  Association  (CMHA)  operates 
the  majority  of  mental  health  housing  units  in  the  city.  Although  about  70 
people  live  in  the  CMHA  housing  and  most  have  a  mental  health  problem,  none 
are  clients  of  the  RHA's  mental  health  services.  The  manager  of  the  CMHA  did 
not  speak  to  the  RHA  for  years  until  personnel  changes  introduced  new 
managers  on  both  sides.  The  annual  contract  between  the  two  parties  has  not 
been  signed  for  two  years. 

The  Suicide  Prevention  Resource  Centre  (SPRC)  developed  the  "Men  at  Risk" 
program,  now  used  in  several  regions  of  the  province.  However,  relations 
between  this  Grande  Prairie  not-for-profit  and  the  RHA  are  distant.  When  we 
interviewed  SPRC  staff,  they  did  not  have  a  clear  view  who  is  responsible  for 
suicide  programs  within  the  RHA.  The  two  parties  had  not  signed  a  contract  for 
two  years  although  the  RHA  still  funds  SPRC  and  the  not-for-profit  provides 
annual  reports  to  the  RHA. 
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Private  hospitals 
in  East  Central 


Good  practice 


Private  hospitals  in  the  East  Central  Health  Region 

The  East  Central  Health  Region  contracts  with  St.  Mary's  Hospital  in  Camrose 
plus  other  Catholic  hospitals  in  that  region  to  provide  hospital  services. 
Independent  not-for-profit  boards  run  these  hospitals.  St.  Mary's  has  the  only 
psychiatric  unit  in  the  region.  Yet  the  relationship  between  St.  Mary's  and  East 
Central  has  not  been  strong.  For  years  a  barrier  existed  between  St.  Mary's  and 
the  RHA's  mental  health  program.  This  meant  that  mental  health  services  were 
not  integrated  in  a  seamless  continuum  of  care.  For  example,  the  parties  did  not 
readily  share  information  about  particular  mental  health  patients  or  programs. 
Both  parties  tell  us  that  this  situation  has  improved  in  recent  years  but  better 
coordination  and  cooperation  are  possible. 

In  Lethbridge,  not-for-profits  congratulated  the  RHA  on  their  relationship 
building.  The  RHA  works  cooperatively  with  the  not-for-profits  to  provide 
services  such  as  crisis  line,  crisis  intervention  teams,  housing,  and  outreach 
services.  We  already  outlined  the  work  in  housing  in  the  David  Thompson 
Health  Region. 


Implications  and  risks  if  recommendation  not  implemented 

Without  good  relations  and  clear  expectations  between  RHAs  and  not-for-profit 
service  providers,  continuum  of  care  for  mental  health  clients  is  at  risk.  Without 
contracting  and  reporting  systems  in  place,  neither  the  RHAs  nor  the  not-for- 
profit  organizations  will  be  fully  accountable  for  their  contribution  to  the 
provincially  funded  mental  health  system. 

5.5  Opportunities  to  reduce  gaps  in  service 
Recommendation  No.  19 

We  recommend  that  Alberta  Health  Services  reduce  gaps  in  mental  health 
delivery  services  by  enhancing: 

•  Mental  health  professionals  at  points  of  entry  to  the  system; 

•  Coordinated  intake; 

•  Specialized  programs  in  medium-sized  cities; 

•  Transition  management  between  hospital  and  community  care. 


Gaps  include  "no 
program"  and  "no 
access  to 
program" 


Background 

The  Provincial  Mental  Health  Plan  discusses  gaps  in  mental  health  service 
capacity  in  terms  of  both  range  of  choices  and  timely  access  to  programs.  For 
the  client,  there  is  little  difference  between  no  program  and  a  program  that  has 
no  room  for  him. 
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First  triage  of 
client  critical  to 
system 
effectiveness 


Chronic,  severe 
clients  need  case 
management 


Telephone  crisis 
line  issues 


Earlier  centralized 
initiative  failed  for 
many  RHAs 


Telephone  crisis 
line  opportunities 


It  is  important  to  have  mental  health  expertise  when  a  client  first  presents 
himself  to  the  mental  health  system.  The  first  triage12  needs  to  make  the  right 
diagnosis.  As  well  the  mental  health  professional  needs  to  know  the  programs 
available  in  the  community  to  which  he  can  refer  the  client.  Otherwise  the 
system  cannot  promptly  refer  the  client  to  the  appropriate  service. 

Historically  a  major  issue  in  mental  health  care  delivery  has  been  integrating 
services  between  the  hospitals  and  the  community.  Too  often  a  person  with  a 
mental  illness  does  not  seek  help  until  he  has  a  crisis  and  ends  up  in  the  hospital 
emergency  room.  When  stabilized  and  leaving  hospital,  he  has  no  services  to 
help  him  return  to  the  community.  Because  mental  illness  is  chronic,  the  cycle 
starts  again.  For  severely  effected  clients,  service  providers  apply  intensive  case 
management  to  break  the  cycle. 

Our  audit  findings 

Mental  health  professionals  at  points  of  entry 

Three  frequent  points  of  entry  to  the  mental  health  system  are  telephone  crisis 
lines,  emergency  rooms  in  hospitals,  and  general  practitioners  in  the 
community. 

The  emergency  phone  numbers  in  the  Yellow  Pages  often  provide  several 
choices  for  mental  health  crisis  services.  Edmonton's  Yellow  Pages,  for 
instance,  present  at  least  four  choices.  Not-for-profit  organizations  operate  most 
crisis  telephone  services  and  often  staff  them  with  volunteers  with  limited 
mental  health  expertise.  Few  phone-in  services  across  the  province  are  24  hour 
services.  Many  crisis  lines  are  not  coordinated  with  the  RHA's  mental  health 
programs  in  the  region. 

There  was  an  earlier  initiative  to  use  Health  Link  as  the  sole  mental  health  crisis 
line  for  Alberta.  RHAs  told  us  the  central  number  did  not  work  for  them.  The 
people  fielding  calls  could  give  little  information  on  services  in  communities 
outside  their  own.  As  a  result,  many  RHAs  abandoned  the  central  telephone 

service. 

However,  Medicine  Hat  relies  exclusively  on  the  Calgary  Health  Link. 
Although  geographically  distant,  Health  Link  staff  can  reference  care 
management  plans  for  Medicine  Hat  clients.  These  plans  state  who  should  be 
consulted  for  this  client  in  defined  situations.  Currently  there  are  province-wide 
phone  numbers  for  emergencies  (911),  telephone  information  (411),  and  non- 


2  Triage  means  determining  (at  a  preliminary  stage)  the  nature  and  severity  of  the  client's  problem  and  the  most  appropriate 
program  for  his  treatment. 
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emergency  Alberta  government  services  (211).  Similarly  there  could  be  a 
mental  health  crisis  line  with  a  province-wide  number  that  refers  callers  to  local 
mental  health  resources. 


Not  all  RHAs 
have  crisis  teams 


Larger  communities  are  more  likely  to  have  a  mobile  crisis  team.  For  example, 
Capital  delivers  a  joint  police-mental  health  crisis  team  as  one  element  of  its 
mobile  crisis  services.  However,  even  smaller  RHAs  need  some  alternative  to 
an  after-hours  voice  message  on  the  crisis  line  that  directs  clients  to  the  hospital 
emergency  room.  In  smaller  communities,  the  crisis  team  need  not  respond  to 
clients'  residences.  David  Thompson  found  that  changing  from  a  mobile  crisis 
team  to  a  crisis  team  that  responds  only  to  emergency  rooms  allowed  them  to 
see  more  clients  with  the  same  resources. 


Not  all  RHAs 
have  mental  health 
professionals  in 
hospitals 


RHAs  can  place 
mental  health 
professionals  in 
hospitals 


GPs  can  access 
mental  health 
professionals 


Not  all  RHAs  have  placed  mental  health  professionals  in  the  hospitals.  For 
example,  Peace  River  recently  discontinued  its  mental  health  liaison  position 
due  to  staffing  demands  in  other  parts  of  its  service.  At  the  Taber  hospital  in  the 
Chinook  region,  the  hospital  and  clinic  staff  have  little  contact  with  each  other, 
limiting  mental  health  expertise  in  that  small  hospital. 

Psychiatric  units  can  respond  to  mental  health  referrals  from  other  units  in  their 
hospitals.  The  exception  is  emergency  room  referrals  due  to  the  high  volume  of 
psychiatric  visits.  City  mental  health  divisions  place  mental  health  professionals 
in  hospital  emergency  rooms;  for  example,  in  Calgary  they  call  it  Emergency 
Mental  Health.  In  hospitals  that  do  not  have  a  psychiatric  unit,  RHAs  have 
created  the  mental  health  liaison  role.  In  this  case  the  community  program 
stations  a  therapist  in  the  hospital  for  consultation  by  emergency  or  any  other 
unit  with  a  mental  health  patient.  These  models  place  mental  health 
professionals  at  first  point  of  contact  in  hospitals. 

General  practitioners  frequently  field  the  first  visit  from  a  person  with  a  mental 
illness.  For  severe  mental  health  cases,  both  the  general  practitioner  and  the 
patient  could  benefit  from  mental  health  expertise  early  in  the  process.  RHAs 
participate  in  two  programs  intended  to  match  mental  health  professionals  with 
the  practitioner.  First,  primary  care  networks13  can  use  their  public  funding  to 
hire  mental  health  staff.  Practitioners  in  networks  can  access  their  mental  health 
staff  to  improve  care  for  their  patient.  Second,  physicians  enrolled  in  shared 


13  Primary  care  networks  (PCNs)  are  groups  of  physicians  within  a  geographic  region  or  community  who  work  with  their 
RHA  to  provide  a  defined  range  of  primary  services.  One  element  of  the  PCN's  agreement  with  the  RHA  could  include 
mental  health  services.  Each  PCN  receives  public  money  to  build  capacity  for  the  services  it  contracts  to  deliver. 
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GPs  still  seek 
support  for  mental 
health  cases 


care   arrangements  can  have  RHA  mental  health  staff  join  them  in  the 
physician's  office  to  deal  with  psychiatric  cases. 

We  did  not  audit  these  initiatives  but  did  learn  that  both  initiatives  are  relatively 
new.  RHA  mental  health  staff  tell  us  that  physicians  have  begun  to  make  use  of 
these  options.  Our  survey  of  physicians  showed  that  about  45%  of  physicians 
wanted  a  closer  working  relationship  with  RHA  outpatient  and  community 
treatment  programs.  About  half  would  like  closer  relationships  with 
psychiatrists,  psychologists,  and  social  workers.  This  suggests  that  practitioners 
believe  mental  health  coordination  and  support  can  improve. 


Clients  need  help 
to  navigate  the 
mental  health 
system 


Centralized  access 
in  cities 


Mental  health 
liaison  in  smaller 
centres 


Coordinated  intake 

The  Provincial  Mental  Health  Plan  advocates  choice  for  clients  and  efficiency 
for  the  service  provider.  Our  focus  groups  identified  access  to  mental  health 
services  as  a  significant  issue.  Regularly,  service  providers  could  not  direct 
clients  to  "the  right  treatment,  at  the  right  place  at  the  right  time".  This  leads  to 
a  slow,  frustrating,  and  often  ineffective  search  for  services  by  clients  and  their 
families.  The  health  care  system  also  feels  the  strain  as  clients  unable  to  access 
mental  health  services  often  end  up  in  the  hospital  emergency  room.  Even  at  the 
ER,  clients  may  not  receive  accurate  advice  on  available  programs. 

In  cities,  centralized  access  facilitates  placement  within  the  system.  The  larger 
the  city,  the  more  mental  health  programs  the  RHA  will  offer.  The  client  or 
family  member  seeking  service  cannot  penetrate  the  system  by  themselves,  nor 
make  the  best  choices.  With  centralized  access,  the  client  meets  a  mental  health 
professional  when  he  contacts  the  RHA,  gets  triaged  immediately,  and  is 
referred  to  the  best  program.  Some  RHAs  have  implemented  this  process 
already.  For  example,  Grande  Prairie  reconfigured  their  intake  so  that  access 
team  members  reside  both  in  the  hospital  and  at  the  clinic.  Calgary  has 
centralized  access  for  14  of  its  adult  mental  health  programs  and  plans  to 
expand  that  coverage. 

Smaller  centres  have  had  success  placing  community  mental  health  liaison 
workers  in  hospitals,  even  in  hospitals  without  an  inpatient  psychiatric  unit. 
Mental  health  liaison  workers  help  hospital  staff  decide  whether  the  client  is 
best  served  in  a  hospital  or  community  program.  There  is  also  a  cross-training 
element  to  liaison  because  few  hospital  staff  have  specific  mental  health 
training. 


14  Shared  care  is  a  collaborative  arrangement  between  primary  care  providers  (physicians)  and  mental  health  professional 
(psychiatrists,  psychologists  and  nurses)  to  improve  the  mental  health  care  of  the  physician's  patients.  For  a  description  of  the 
program,  see:  http://www.health.alberta.ca/key/phc_shared-mental-health.html. 
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special  services  in 
medium-sized 
cities 


Specialized  programs  in  medium-sized  cities 

All  RHAs  have  mental  health  clients  in  need  of  concurrent,  early  psychosis,  and 
other  specialized  programs.  These  clients  must  now  travel  for  treatment. 
However,  specialized  programs  often  have  long  wait  lists.  For  example,  the 
eating  disorder  program  in  Calgary  has  about  a  20  week  wait  and  the  concurrent 
program  in  Ponoka's  Centennial  Centre  has  about  a  24  week  wait.  In  addition, 
travel  and  living  costs  deter  clients  from  making  the  trip. 


Expanding  special 
programs 


Alberta's  medium-sized  cities  are  growing  while  specialized  programs  are 
under  pressure.  Rolling  out  specialized  programs  in  medium-sized  cities  could 
provide  timelier  service  for  clients  and  reduce  pressure  on  existing  programs. 
The  medium-sized  cities  do  not  have  the  resources  to  offer  these  programs 
themselves  now  even  though  they  have  demand.  New  programs  would  require 
new  resources  so  as  not  to  diminish  existing  programs. 


Transition  key  to 
recovery 


Discharge 
planning  at  the 
hospital 


RHAs  create 
programs  to 
address  transition 
issues 


Transition  management  between  hospital  and  community  care 
Chronic  mental  health  clients  move  from  program  to  program  as  their  situation 
evolves.  Managing  the  transition  between  programs  requires  care  planning  and 
case  management.  Our  focus  groups  told  us  that  lack  of  transition  coordination 
was  a  major  challenge  to  their  recovery.  No  matter  how  successful  their  hospital 
care,  many  patients  need  assistance  with  their  recovery  when  they  leave  the 
hospital.  For  example,  research  shows  that  patients  are  at  increased  risk  shortly 
after  release  from  the  psychiatric  unit15.  Because  of  uncertainty  when  patients 
will  be  released  from  hospital,  community  services  may  find  it  difficult  to  pick 
them  up  on  short  notice.  The  community  program  may  have  a  waiting  list 
anyway. 

Discharge  planning  by  hospital  staff  is  one  aspect  of  successful  transition.  One 
social  worker  at  the  Foothills  Hospital  in  Calgary  did  a  particularly  strong  job, 
bringing  the  patient's  family  into  hospital  for  meetings  with  the  treatment  team 
and  arranging  housing,  income  support,  and  other  determinants  for  a  successful 
life.  Community  mental  health  workers  can  visit  their  clients  in  hospital;  for 
new  clients,  workers  can  enrol  them  in  the  proper  program  and  begin  to 
establish  a  relationship.  Our  file  testing  in  hospitals  showed  this  rarely 
happened. 

RHAs  can  build  programs  specifically  to  address  transition.  In  Calgary,  the 
Community  Extension  Team  supports  clients  until  they  can  enrol  in  a  program 
like  Adult  Short  Term  therapy.  Smaller  cities  have  had  success  with  single- 
session  walk  in  for  clients  awaiting  enrolment.  In  small  towns  with  limited 


15  See  later  description  on  p.  191  for  the  study  done  by  Calgary  Health  that  led  to  the  pilot  "Seven  Day  Follow  Up"  program. 
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programs  and  capacity,  mental  health  workers  need  to  manage  transition  clients  ' 

on  a  one-to-one  basis.  • 

I 

Community               The  community  programs  may  not  know  exactly  when  clients  will  appear  but  @ 

esdmatedemand          tne^  can  determine  how  much  of  their  service  is  required  over  a  period  of  time.  | 

With  that  understanding,  they  can  build  program  capacity  to  accept  the  flow- 
through.  ' 

I 

Good  practice             Medicine  Hat  has  created  care  management  plans  for  about  25  clients  who  < 

regularly  access  their  services,  especially  their  hospital  service.  The  client,  his  I 

family  and  general  practitioner,  the  hospital,  and  the  crisis  line  get  a  copy  of  the  - 
plan.  All  parties  are  prepared  for  the  client  whether  he  is  stable  or  in  crisis.  For 

example,  if  the  client  or  a  family  member  senses  a  crisis,  they  can  call  the  crisis  ' 

line  who  will  take  pre-planned  action  to  minimize  adverse  effects.  I 

I 

Implications  and  risks  if  recommendation  not  implemented  I 

Without  a  centralized  crisis  telephone  line,  there  is  a  proliferation  of  phone  - 
numbers  that  may  not  be  connected  to  RHA  mental  health  services.  As  a  result, 

clients  may  not  reach  appropriate  services.  Without  mental  health  professionals  ' 

at  points  of  contact,  coordinated  intake,  and  effective  transition  processes,  it  is  3 

difficult  to  integrate  and  optimize  mental  health  services.  Opportunities  to  t 

cross-train  health  staff  may  be  lost.  Clients'  recovery  may  be  compromised  by  j 

inappropriate,  untimely,  or  uncoordinated  placements.  In  a  worst  case  scenario,  ^ 
clients  may  fall  through  the  cracks  and  not  receive  treatment.  Improper 

placements  are  a  frustration  for  clients.  - 

I 

Without  an  increase  in  specialized  programs,  clients  must  endure  long  wait  G 

times  and  travel  concerns.  As  well,  more  locations  reduce  the  pressure  on  ^ 
existing  programs. 

5.6  Provincial  coordination  ' 

Recommendation  i 

We  recommend  that  Alberta  Health  Services  coordinate  mental  health  I 

service  delivery  across  the  province  better  by:  ■ 

•  Strengthening  inter-regional  coordination.  > 

•  Implementing  standard  information  systems  and  data  sets  for  mental 

health.  ' 

•  Implementing  common  operating  procedures.  ^ 

•  Collecting  and  analyzing  data  for  evidence-based  evaluation  of  mental  I 
health  programs.  (- 

1 

a 

  i 
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Department  and 
AMHB 

responsibilities 


Mental  Health 
Networks 


Agreement  on 
central  mental 
health  data 
collection 


Evidence-based 
treatments  and 
programs 


Background 

There  are  mechanisms  to  manage  (as  opposed  to  deliver)  mental  health  services 
across  Alberta.  The  Department  of  Health  and  Wellness  maintains  the  policy 
framework  and  monitors  outcomes.  The  AMHB  provides  policy  input,  collects 
and  assesses  strategic  data,  and  facilitates  certain  provincial  initiatives. 

The  RHAs  themselves  participate  on  Mental  Health  Networks.  Senior  personnel 
meet  regularly  on  the  provincial  Network;  representatives  from  A  AD  AC,  the 
Department,  and  major  not-for-profit  organizations  also  attend.  The  three 
southern  RHAs  have  formed  their  own  Southern  Alberta  Mental  Health 
Network. 

There  is  province-wide  agreement  on  the  definition  of  inpatient  and  community 
mental  health  information  records.  The  Department  of  Health  leads  this 
initiative  and  will  eventually  collect  the  data  from  the  RHAs  and  maintain  the 
information  system.  The  RHAs  have  not  begun  to  send  the  data  yet,  nor  is  there 
a  system  to  accept  it. 

"Evidence-based"  means  having  data  from  scientific  research  to  prove  that 
treatments  and  programs  actually  improve  clients'  lives.  This  concept  relates  to 
program  evaluation,  cost  considerations,  and  comparative  efficiencies.  RHAs 
should  deliver  evidence-based  treatments  and  programs  that  are  effective  for  the 
client  as  well  as  cost  effective. 


The  need  to 
cooperate  between 
regions 


Mental  Health 
Networks  do  not 
fulfill  the  need 


Our  audit  findings 

Inter-regional  coordination 

Despite  regionalized  program  delivery,  regions  still  need  to  coordinate 
initiatives  such  as  the  ones  we  discuss  later  in  this  recommendation  under  the 
Common  operating  procedures  sub-heading.  Smaller  RHAs  do  not  have  the 
resources  to  develop  every  initiative  themselves,  so  coordinating  with  other 
RHAs  offers  leverage.  Group  coordination  can  also  result  in  efficiencies 
because  the  group  can  generate  a  solution  once  rather  than  replicate  the  effort  in 
every  RHA.  Regions  should  also  share  good  practices,  again  to  promote 
efficiency.  And  the  regions  should  have  a  province-wide  voice  to  speak  to 
service  delivery  issues. 

We  reviewed  the  terms  of  reference  and  recent  minutes  of  the  Mental  Health 
Network  meetings,  both  provincial  and  Southern  Alberta.  While  they  discuss 
initiatives  and  good  practices,  they  do  not  have  a  mandate  to  coordinate 
improvements  across  the  province.  The  mental  health  system  needs  a 
mechanism  to  manage  service  delivery  across  the  province.  Establishing 
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Alberta  Health  Services  and  one  health  region  should  support  coordination 
across  the  province. 


The  need  for 

integrated 

information 


Hospital  and  clinic 

information 

systems 


Information  systems 

To  ensure  integrated  client  service,  practitioners  need  to  share  mental  health 
service  delivery  information.  This  includes  sharing  information  between  the 
hospital  and  the  clinic,  as  well  as  across  regions.  The  system  also  needs 
information  for  the  purposes  of  reporting  and  accountability.  The  diversity  of 
information  systems  interferes  with  these  objectives. 

Each  RHA  uses  at  least  two  computer  systems  to  track  the  treatment  of  mental 
health  patients  and  clients16.  One  system  is  in  the  hospital,  the  other  in  the 
clinic.  These  systems  are  not  integrated  within  RHAs  or  between  RHAs. 


Hospital 

information 

systems 


Community 
mental  health 
information 
systems 


Difficult  to  cross- 
check between 
hospital  and  clinic 


Electronic  Health 
Record  initiatives 


Hospital  software  packages  serve  all  hospital  services,  not  just  mental  health. 
Hospitals  across  the  province  use  three  computerized  information  systems:  the 
Calgary  region  uses  Sunrise  Clinical  Manager;  the  Capital  region  uses  NetCare; 
and  the  remaining  seven  RHAs  use  MediTech.  Those  seven  smaller  RHAs 
participated  in  the  RSHIP  initiative  to  introduce  a  common  system  in  those 
regions.  MediTech  is  the  software  introduced  by  the  RSHIP  initiative.  Calgary 
and  Capital  did  not  participate  in  RSHIP. 

Community  mental  health  programs  use  at  least  three  different  computerized 
information  systems.  The  Calgary  region  uses  ARMHIS  in  some  clinics  and 
CARA  in  others.  ARMHIS  is  the  legacy  system  from  the  AMHB  while  CARA 
is  a  legacy  system  built  by  the  Calgary  region.  The  Chinook  region  uses 
MediTech.  The  remaining  regions  use  ARMHIS. 

Given  the  different  information  systems  it  is  difficult  to  cross-check  on  patients, 
whether  within  RHAs  or  between  RHAs.  Clinics  do  not  have  access  to  hospital 
systems,  and  most  hospitals  do  not  have  access  to  the  clinics'  system(s). 
Information  sharing  is  not  seamless  across  the  continuum. 

Calgary  and  Capital  are  each  building  their  own  Electronic  Health  Record 
(EHR)  software.  The  EHR  can  simultaneously  access  data  in  the  mental  health 
and  other  computerized  information  systems.  By  searching  the  EHR,  mental 
health  workers  can  access  data  in  all  systems  for  an  integrated  view  of  client 
care.  These  initiatives  are  in  the  development  and  early  roll-out  stages.  A 
province-wide  EHR  would  support  a  seamless  continuum  of  care  between 


16  The  exception  is  in  Lethbridge  in  the  Chinook  Health  Region  where  they  use  the  same  information  system  for  hospital  and 

clinic. 
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Difficult  to  cross- 
check between 
regions 


Province-wide 
data  set  defined 


Other  health 
information 
systems  initiatives 


Mental  health 
divisions  do  not 
have  operating 
manuals 


A  plethora  of 
forms  available  to 
workers 


regions. 

Between  the  regions,  ARMHIS  at  one  time  offered  province-wide  access  to 
client  information  from  mental  health  clinics.  While  the  system  continues  to 
operate  in  most  RHAs,  the  province-wide  access  feature  no  longer  works 
effectively.  If  the  client  moves  between  RHAs,  service  providers  may  not  know 
how  the  client  was  treated  or  whether  it  was  successful.  For  hospitals  across  the 
province,  there  is  no  system  to  check  what  has  happened  to  clients  in  other 
regions. 

The  Department  and  the  AMHB  have  defined  a  common  data  set  for  inpatient 
and  community  mental  health  programs.  We  reported  in  our  April  2008  Phase  I 
work  that  the  goal  is  to  roll  out  this  data  set  in  April  2009.  The  RHAs  agreed  to 
these  data  sets  but  during  our  field  work  many  RHAs  told  us  they  do  not  have 
the  capacity  to  collect  all  of  the  defined  data  fields. 

There  are  province-wide  health  information  systems  initiatives  underway.  For 
example,  the  RSHIP  project  is  ongoing  but  the  mental  health  workers  in  the 
RHAs  could  not  say  whether  or  how  quickly  mental  health  modules  within  the 
software  might  be  implemented.  Similarly,  it  is  not  clear  how  a  province-wide 
EHR  initiative  might  affect  information  sharing.  We  did  not  include  these 
information  systems  initiatives  in  the  scope  of  this  audit. 

Common  operating  procedures 

The  AMHB  created  a  province-wide  operational  manual  decades  ago.  It  was 
last  updated  in  the  1990s.  It  includes  guidelines  on  operational  matters  such  as 
when  to  close  files  and  how  to  monitor  activities  in  the  clinic.  No  individual 
RHA  has  updated  that  manual  nor  is  there  a  province-wide  initiative  to  do  so. 
Even  though  it  is  out-of-date,  it  is  still  the  manual  referenced  by  several  RHAs 
in  their  daily  work. 

Mental  health  services  in  hospitals  and  clinics  are  largely  form-driven.  The 
forms  serve  as  an  aide-memoire  and  document  results  with  the  client.  Many  of 
these  forms  are  integrated  with  the  information  systems  used  in  that  region. 
Given  the  number  of  information  systems  and  the  evolution  of  mental  health 
services  over  the  years,  it  is  not  surprising  there  are  many,  often  overlapping, 
forms  used  in  hospitals  and  clinics.  For  example,  we  have  seen  at  least  four 
different  suicide  risk  assessment  forms.  RHAs  still  widely  use  ARMHIS  forms, 
although  RHAs  have  edited  some  and  replaced  others.  Some  forms  used  at 
particular  RHAs  seem  to  be  in  a  perpetual  trial  state;  some  workers  use  the  trial 
forms  while  others  use  older  versions.  Of  course  across  the  province,  no  single 
form  is  used  by  all  hospitals  or  all  clinics.  Redevelopment  of  forms  could  be 
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one  activity  to  follow  a  coordinated,  cross-regional  process.  ^ 

1 

Training  programs         Mental  health  is  an  evolving  discipline  and  service  providers  need  to  stay  up-to-  \ 

date.  The  RHAs  can  develop  consistent  training  expectations  and  programs  \ 
across  the  province.  RHAs  require  some  mandatory  courses  for  their  mental  > 
health  staff.  These  typically  include  administrative  matters,  CPR,  and  managing 
confrontations.  After  that,  no  RHA  dictates  further  mandatory  mental  health-  ^ 
specific  training.  RHAs  encourage  staff  development  but  there  are  differences  ^ 
in  what  is  encouraged  across  the  province.  We  looked  at  training  for  workers  C 
dealing  with  aboriginal,  suicidal,  and  concurrent  clients.  The  need  for  training  d 
was  consistent,  but  the  acceptable  courses  varied  widely.  For  instance,  many  ^ 
regions  sent  their  mental  health  staff  to  the  ASIST  suicide  prevention  course 
while  others  felt  ASIST  was  too  generic  for  mental  health  professionals.  The 
mental  health  divisions  could  organize  and  deliver  a  consistent,  tailored  ' 
curriculum  for  their  staff.  | 

1 

Informal  systems  RHAs  should  also  keep  track  of  which  staff  have  taken  which  training.  We  fi 

to  monitor  staff  .       ,,,  iL  .  ,  Al  „  " 

training  reviewed  the  systems  across  the  province  and  they  vary  from  no  system  to  one 

where  managers  keep  track  of  the  courses  their  staff  have  taken.  Again,  the  '  * 

RHAs  could  develop  a  common  system  so  every  region  can  monitor  training.  ' 

( 

RHAs  are  beginning  to  use  new  technologies.  For  example,  telemental  health  (\ 

telementaf health          allows  long-distance  consultation  and  assessment.  When  Peace  Country  Health  j 

had  no  psychiatrists  for  its  Grande  Prairie  psychiatric  unit,  it  accessed 
psychiatrists  in  other  parts  of  the  province  through  telemental  health.  David 

Thompson  Health  Region  uses  it  frequently.  Besides  serving  clients  remotely,  ' 

regions  can  reduce  travel  expenses  by  using  technology  to  broadcast  training  ( 

and  hold  staff  meetings.  Coordination  is  required  to  develop  the  system  and  ( 

expand  its  use.  ^ 

Evidence-based  evaluation 

collected  client  T°  suPport  the  tnree-year  strategic  Regional  Mental  Health  Plans  proposed  by  ' 

feedback  in  the  tne  Provincial  Mental  Health  Plan,  RHAs  undertook  public  consultations  in  S 

past  2004  and  2005.  They  used  focus  groups,  surveys,  and  community  open  houses  (i 

to  collect  clients'  views  about  mental  health  programs,  gaps  in  service,  and  i 
service  delivery  priorities.  Most  RHAs  have  not  repeated  similar  structured 
exercises.  We  recognize  that  these  activities  can  be  expensive  and  time 

consuming,  especially  for  smaller  RHAs  with  limited  resources.  On  the  other  ' 

hand  they  provide  valuable  information  about  program  success.  ! 

\ 
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Beyond  collecting  client  feedback  on  their  performance  as  service  providers, 
RHAs  need  to  evaluate  their  programs.  Again,  this  can  be  expensive  but  can  be 
and  in  some  cases  has  been  done.  The  Innovation  Fund  application  and 
disbursement  process  requires  an  annual  evaluation  for  each  project.  RHAs 
have  collected  evidence  to  prove  that  innovative  programs  are  cost  effective  and 
serve  clients  better  than  existing  programs. 

The  Calgary  Health  Region's  Information  and  Evaluation  Group  is  unique  in 
Alberta.  Within  this  group  that  recently  celebrated  its  tenth  anniversary,  about 
10  staff  work  exclusively  on  program  evaluation.  Their  reports  generate 
recommendations  that  lead  to  program  improvements.  For  example,  their 
evaluation  of  Calgary's  Access  Mental  Health  (the  region's  centralized  intake 
process)  identified  an  opportunity  to  speed  the  referral  process  by  weeks.  Small 
RHAs  would  not  be  able  to  afford  this  type  of  program,  but  the  province's 
mental  health  service  delivery  system  could  benefit  from  an  evaluation  program 
that  covered  all  RHAs. 


Implications  and  risks  if  recommendation  not  implemented 

Without  provincial  coordination,  it  will  be  difficult  for  regions  to  discuss  their 
concerns  and  develop  efficient  solutions  for  common  issues.  The  issues  include 
matters  such  as  common  information  systems  and  operating  procedures. 
Common  procedures  achieve  efficiency,  leverage,  and  consistency  within 
regions  and  across  the  province.  Without  common  or  at  least  compatible 
operating  procedures,  information  systems,  and  evaluation  processes,  it  is 
difficult  to  analyze  service  delivery  across  the  province,  improve  efficiency  in 
the  system,  and  adjust  programs  to  improve  service. 

5.7  Improving  community-based  service  delivery 
Recommendation 

We  recommend  that  Alberta  Health  Services  strengthen  service  delivery 
for  mental  health  clients  at  regional  clinics  by  improving: 
Wait  time  management. 
Treatment  plans,  agreed  with  the  client. 
Progress  notes. 
Case  conferencing. 
File  closure. 

Timely  data  capture  on  information  systems. 
Client  follow  up  and  analysis  of  recovery. 
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Clinics  follow  the 
medical  model 


Background 

Mental  health  clinics  evolved  in  the  1960s  in  Alberta.  Thanks  to  the 
development  of  drug  regimens,  people  with  a  mental  illness  were  able  to  remain 
in  the  community.  Mental  health  services  moved  out  of  hospitals  and  special 
facilities  and  into  community  clinics.  The  clinics  follow  the  medical  model  of 
clients  visiting  their  professional  service  provider  at  a  clinic.  The  processes  for 
appointments,  client  charts,  and  treatment  programs  should  meet  professional 
standards. 


Importance  of 
documentation  in 
client  files 


Mental  health  workers  across  the  province  told  us:  if  it  wasn't  documented,  it 
didn't  happen.  Documentation  is  a  fundamental  clinical  requirement  in  the 
mental  health  field.  Mental  health  programs  have  long  set  standards  for 
documentation.  Documentation  underpins  continuity  of  service  for  each  client 
and  helps  determine  whether  the  treatment  program  is  succeeding.  It  also 
supports  the  evaluation  of  overall  service  delivery  in  the  clinic.  Finally,  it 
mitigates  the  risk  of  litigation. 


We  reviewed  190 
Adult  Short  Term 
files 


Wait  times  need  to 
be  managed 


Variation  in  wait 
times  for  Adult 
Short  Term 


Management  can 
make  better  use  of 
activity  data 


Our  audit  findings 

During  our  audit,  we  examined  about  190  client  files  from  clinics  across  the 
province.  We  always  examined  the  Adult  Short  Term  program,  where  the  client 
visits  the  therapist  in  the  clinic.  Where  the  RHA  ran  other  adult  programs  from 
the  clinic,  we  also  examined  a  sample  of  those  files. 

Wait  time  management 

Almost  all  the  mental  health  programs  we  examined  were  fully  subscribed. 
Most  had  wait  times  for  new  clients.  When  programs  are  full  and  mental  health 
resources  fixed,  mental  health  management  needs  to  consider  innovative 
approaches  so  new  clients  can  enter.  The  alternatives  to  innovation  are  long 
wait  times  or  heavy  case  loads  per  therapist. 

For  example,  wait  times  for  the  Adult  Short  Term  program  varied  across  the 
province.  We  measured  wait  time  from  when  the  client  contacted  the  mental 
health  system  until  he  began  his  treatment.  In  city  clinics,  the  average  wait  time 
(as  calculated  by  our  sample  of  files)  varied  from  two  weeks  to  more  than  ten 
weeks,  averaging  about  five  weeks.  In  small  communities,  it  varied  from  one 
week  to  five  weeks,  averaging  about  two  weeks. 

Management  can  use  activity  data  to  manage  wait  times,  case  loads,  and  data 
capture.  Software  like  ARMHIS  provides  standard  reports  on  therapists'  case 
loads,  recent  client  contacts,  and  dormant  files.  None  of  the  managers  that  we 
interviewed  routinely  reviewed  these  reports.  In  some  regions  such  as  Calgary, 
a  mental  health  colleague  periodically  reviews  these  reports  with  therapists.  But 


182 


Report  of  the  Auditor  General  of  Alberta— October  2008 


Health  and  Wellness 


Alberta's  mental  health  service  delivery  system 


Good  practice 


Treatment  plans 
not  always 
completed 


Quality  of  plans 
should  improve 


Treatment  plans 
not  agreed  with 
clients 


Templates  can 
improve  quality  of 
progress  notes 


in  general,  closer  management  of  therapists'  case  loads  can  identify 
opportunities  to  improve  service.  As  well,  reviewing  these  reports  would 
highlight  data  entry  issues.  Later  in  this  recommendation,  we  note  that  many 
RHAs  have  a  problem  keeping  this  data  up-to-date. 

The  Red  Deer  clinic  in  the  David  Thompson  Health  Region  adjusted  its 
processes  to  shorten  wait  times.  When  wait  times  for  the  Adult  Short  Term 
program  exceeded  eight  weeks,  management  implemented  a  Brief  Therapy 
program.  Initial  triage  directed  mildly  ill  clients  to  the  Brief  Therapy  program, 
thereby  freeing  capacity  in  Adult  Short  Term. 

Treatment  plans 

Professional  requirements  and  RHA  procedures  call  for  treatment  plans.  Plans 
should  describe  the  proposed  therapy,  the  frequency  of  client  visits,  and 
expected  duration  of  treatment.  However,  most  treatment  plans  were  either  not 
done  or  done  poorly.  We  accepted  almost  anything  labelled  "treatment  plan  in 
our  file  tests.  Even  so,  many  clinic  files  did  not  have  a  treatment  plan.  For 
example  in  the  six  city  clinics  we  visited,  the  percentage  of  files  without  a  plan 
ranged  from  17%  to  85%.  In  two  of  the  six  smaller  centres  we  visited,  the  files 
we  examined  contained  no  treatment  plans. 

The  quality  of  treatment  plans  could  be  very  low  indeed.  One  plan  said,  in  its 
entirety  "Psychotherapy;  chemotherapy".  Management  needs  to  ensure  that 
documentation  reflects  a  clear  treatment  plan.  Without  one,  therapy  can  be 
open-ended  and  undirected. 

Treatment  plans  should  be  discussed  and  agreed  with  the  clients.  This  did  not 
happen  in  our  sample.  As  well,  our  focus  groups  told  us  that  only  10%  of 
service  users  felt  they  had  been  involved  in  developing  their  plan;  few  were 
aware  of  a  specific  plan.  Family  members  were  not  often  asked  for  their  input 
although  when  it  comes  to  discharge,  they  are  often  the  ones  expected  to  deliver 
care  to  their  family  member. 

Progress  notes 

For  every  client  event,  the  therapist  writes  progress  notes  for  the  file.  However 
most  notes  do  not  answer  the  question,  "How  is  the  treatment  progressing?" 
Notes  are  generally  the  novelization  of  the  client's  life,  detailing  the  client's 
activities  and  feelings  since  the  last  visit.  Notes  need  to  tie  back  to  the  treatment 
plan  and  describe  what  was  done  during  the  visit,  how  the  client  reacted,  and 
what  the  next  step  needs  to  be.  Regions  like  Palliser  and  David  Thompson  have 
developed  a  template  for  notes  that  guides  therapists  to  comment  on  key 
treatment  elements.  File  review  by  management  and  remediation  for  weak 
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performers  would  ensure  that  therapists  follow  the  template  and  produce 
stronger  progress  notes. 

Just  reading  the  progress  notes  can  be  a  major  challenge.  The  great  majority  of 
notes  are  hand  written.  Many  therapists'  scrawl  can  be  incomprehensible.  Under 
those  circumstances,  a  reader  cannot  tell  what  has  happened  with  the  client's 
treatment.  Computers  and  typed  progress  notes  would  answer  this  issue, 
although  most  clinics  do  not  provide  computers  to  each  therapist. 

There  should  be  notes  for  every  client  event.  We  found  this  to  be  the  case  with 
one-to-one  sessions.  However,  when  the  client  attended  group  therapy  sessions 
or  received  outreach  visits,  progress  notes  became  non-specific.  Instead  of 
describing  a  particular  event  with  a  particular  client,  progress  notes  covered 
multiple  clients  or  multiple  events.  While  this  saves  time  for  the  note  writer, 
notes  made  from  distant  memory  may  be  inaccurate  or  imprecise. 

Case  conferencing 

Case  conferencing  is  a  common  mental  health  procedure.  The  therapists  in  a 
clinic  gather  weekly  to  discuss  selected  cases.  Typically  therapists  discuss  cases 
early  in  the  assessment  and  treatment  stage  to  confirm  the  proposed  treatment. 
If  treatment  does  not  produce  the  expected  results,  the  case  can  be  conferenced 
again  to  consider  alternative  approaches. 

We  sat  in  on  conferences  and  looked  for  documentary  evidence  of  conferencing 
in  the  client  files.  Generally  RHAs  require  conferencing  at  least  once  during 
treatment.  We  found  that  RHAs  did  not  conference  at  the  assessment  stage  as 
frequently  as  their  policies  required.  For  the  cities,  the  percentage  of  files  in  our 
sample  that  had  been  conferenced  ranged  from  5%  to  84%.  Clinics  did  not  often 
conference  cases  again,  no  matter  how  long  the  client  remained  in  therapy.  Our 
file  review  showed  that  therapists  conferenced  3  of  25  long-term  cases. 

File  closure 

Every  RHA  has  rules  about  file  closure,  although  the  rules  differ  across  the 
province.  Typically,  when  the  therapist  and  client  complete  therapy,  or  if  the 
therapist  does  not  see  or  hear  from  the  client  for  30  days  (or  60,  or  90 
depending  on  the  RHA),  the  therapist  should  close  the  file.  This  entails  writing 
a  closure  summary  that  should  assess  the  success  of  treatment. 

We  reviewed  81  files  that  should  have  been  closed,  but  25  of  these  were  not. 
The  reason  commonly  given  for  not  closing  a  file  was  that  it  takes  time;  should 
the  client  return,  even  more  effort  is  required  to  re-open  it.  File  review 
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Timely  data  capture 

Clinics  have  trouble  keeping  the  data  in  their  computer  systems  up-to-date.  In 
the  Calgary  clinic  that  we  audited,  staff  had  not  entered  event  data  (i.e. 
information  about  client  sessions)  for  six  months  due  to  staff  illness  and 
retirement.  Other  RHAs  had  lesser  delays  but  all  clinics  we  visited  suffered 
some  level  of  untimely  data  entry. 

Client  follow  up  and  analysis  of  recovery 

At  the  end  of  treatment,  therapists  should  analyze  whether  treatment  helped  the 
client  recover.  The  judgment  of  the  therapist  and/or  client  determines  whether 
the  client  has  recovered  and  to  what  degree.  However,  in  our  file  reviews  we 
found  only  25  of  81  closed  files  analyzed  the  success  of  recovery.  No  RHA 
collects  these  statistics  in  its  information  systems. 

Nor  do  most  RHAs  systematically  collect  satisfaction  feedback  from  their 
clients.  RHAs  send  out  surveys  to  recent  clients  from  time  to  time.  But  to 
reinforce  the  view  that  clients  have  not  been  canvassed,  more  than  90%  of  our 
focus  group  participants  told  us  they  had  not  been  asked  for  input,  whether 
related  to  their  personal  experience  or  for  input  into  program  design. 

Implications  and  risks  if  recommendation  not  implemented 

Without  wait  time  management,  the  clinics  will  find  it  difficult  to  manage  the 
flow-through  of  clients.  Unless  clients  complete  their  treatments,  the  only  way 
to  take  in  new  clients  (assuming  constant  resources  for  the  program)  is  to 
increase  caseloads,  which  affects  the  quality  and  frequency  of  treatment. 

Without  treatment  plans  agreed  with  the  client,  expectations  for  treatment  are 
not  clear.  For  clients  who  approve,  the  treatment  plan  can  be  shared  with  family 
members  who  can  support  the  client  in  his  recovery.  Treatment  plans  are  a 
foundation  to  assess  the  client's  progress. 

Without  internal  processes  like  progress  notes,  cases  conferencing,  file  closure, 
and  client  follow  up,  it  is  difficult  to  assess  a  client's  recovery  or  adjust 
treatments.  These  processes  also  support  caseload  management  for  therapists 
and  the  assessment  of  program  success. 

Without  timely  and  complete  data  in  the  computer  system,  management  lacks 
an  important  tool  to  assess  caseloads  and  wait  lists. 
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5.8  Funding,  planning,  and  reporting 
Recommendation 

We  recommend  that  the  Department  of  Health  and  Wellness  and  Alberta 
Health  Services  ensure  the  funding,  planning,  and  reporting  of  mental 
health  services  supports  the  transformation  outlined  in  the  Provincial 
Mental  Health  Plan  as  well  as  system  accountability. 

Background 

Funding 

The  Department  of  Health  and  Wellness  funds  the  RHAs.  Two  major  elements 
of  annual  funding  are  global  funding  and  province-wide  funding. 

Global  Funding  covers  most  of  an  RHA's  operating  costs.  It  is  a  population- 
based  allocation  system;  the  system  is  described  annually  in  a  Department 
brochure17.  Global  Funding  has  a  mental  health  component  that  began  in 
2003-04  with  the  devolution  of  services  from  the  AMHB  to  the  RHAs.  While 
they  can  spend  their  overall  health  allocation  any  way  they  see  fit,  RHAs  view 
the  mental  health  allocation  from  the  Department  as  an  indication  of  what  their 
mental  health  budget  should  be. 

Province-wide  funding  applies  to  defined,  centrally  delivered  activities  that 
cannot  be  economically  replicated  across  the  province.  These  activities  include 
specialized  surgeries,  unique  programs,  and  expensive  drug  regimes.  Province- 
wide  funding  does  not  currently  apply  to  mental  health  services. 

In  2005,  the  Department  added  Mental  Health  Innovation  Funds  to  the  funding 
mix.  One  implementation  priority  of  the  Provincial  Mental  Health  Plan  called 
for  a  transition  fund  to  implement  "the  new  directions  set  in  this  provincial 
policy".  During  transformation  to  the  new  service  delivery  model,  RHAs 
expected  to  maintain  their  hospital  and  facility  operations  at  historic  levels 
while  they  built  capacity  in  their  community-based  services.  Once  capacity  was 
built,  inpatient  psychiatric  demand  would  decline  and  the  system  would  return 
to  its  previous  financial  level. 

The  notion  of  a  transition  fund  evolved  into  the  Innovation  Fund.  It  was  no 
longer  specifically  for  transition.  The  program  rules  (which  we  reviewed  during 
Phase  I)  emphasized  filling  gaps  in  service.  $75  million  was  distributed  to  the 
RHAs  over  three  years  ending  in  2009. 


For  the  2007-08  funding  manual,  see:  http://www.health.alberta.ca/regions/RHA07to08FundManual.pdf 
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All  RHAs  do  the  budgeting  expected  of  large,  complex  organizations.  The 
RHA's  activities  are  broken  down  into  divisions  and  sub-divisions,  one  of 
which  is  mental  health.  The  mental  health  budget  is  further  subdivided  into 
units.  At  the  most  granular  budget  level,  a  manager  or  supervisor  is  responsible 
for  a  program  or  activity;  it  is  usually  a  cost  centre  approach  where  both 
revenue  and  expense  are  budgeted  annually. 

Planning 

All  RHAs  follow  certain  government-dictated  planning  processes.  A  Provincial 
Mental  Health  Plan  implementation  priority  obliged  each  RHA  to  develop  a 
strategic  Regional  Mental  Health  Plan  in  2005.  Each  Regional  Plan  had  a 
three-year  window,  2006-09.  The  Department  of  Health  and  Wellness  and  the 
AMHB  reviewed  these  Regional  Plans  and  the  Minister  approved  them.  To 
support  the  strategic  Regional  Plan  initiative  of  2005,  every  RHA  undertook 
some  form  of  needs  assessment  and  collected  input  from  the  public. 

Each  year  every  RHA  creates  a  Regional  Health  Plan  that  offers  a  three-year 
view  of  goals,  initiatives,  and  measures  for  all  health  care  responsibilities.  This 
is  a  public  document,  approved  by  the  RHA  Board  and  the  Minister  of  Health 
and  Wellness.  Every  RHA  Plan  contains  a  mental  health  section  with  a 
narrative,  measures,  and  targets.  Each  year  the  RHA  also  creates  a  one-year 
Business  Plan.  The  Business  Plan  integrates  business  initiatives  with  the 
financial  budget  at  a  more  detailed  level  than  the  Regional  Health  Plan.  The 
Business  Plan  is  not  a  public  document. 


RHAs'  public 
Annual  Reports 


Reporting 

Year-end  reports  typically  respond  to  plans  from  the  beginning  of  the  year.  For 
example,  an  RHA's  Annual  Report,  a  public  document,  answers  to  its  Regional 
Health  Plan.  A  Report  contains  a  narrative  about  mental  health  activities, 
performance  measures,  plus  the  RHA's  financial  statements. 


Performance  measures  indicate  how  key  strategies  are  progressing.  Measures 
support  the  evaluation  of  system  results,  as  opposed  to  evaluating  individual 
client  progress  or  program  success. 


The  financial 
piece  can  support 
transformation 
better 


Our  audit  findings 

Funding 

Funding  decisions  by  the  Department  and  RHAs  do  not  specifically  support  the 
transformation  described  in  the  Provincial  Mental  Health  Plan.  The  financial 
foundation  for  transformation  can  be  strengthened.  Predictability  and  certainty 
of  funding  encourage  service  providers  to  implement  long-term  strategies  as 
they  transform  their  service  delivery  systems. 
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Funding  methods 
change 


Cost  to  operate 
specialized  mental 
health  facilities  is 
high 


Funding  facilities 
as  province-wide 
services 


Uncertainty  about 
Innovation  Funds 
after  2008-09 


RHAs'  mental 
health  budgets 
continue  to  grow 


Since  2003,  the  Department  has  regularly  changed  its  methods  to  allocate 
annual  mental  health  funding  to  RHAs.  Changing  the  funding  method  makes  it 
more  difficult  for  an  RHA  to  predict  future  funding.  Uncertainty  in  funding 
makes  it  difficult  for  RHAs  to  implement  the  long-term  strategies  necessary  to 
transform  the  system. 

The  cost  of  operating  specialized  facilities  is  increasing  significantly.  These 
facilities  include  Alberta  Hospital  EdmontonError!  Bookmark  not  defined., 
the  Centennial  Centre  in  Ponoka,  and  the  Claresholm  Care  Centre.  For  example, 
the  rate  of  increase  in  cost  to  run  the  Centennial  Centre  in  the  David  Thompson 
Health  Region  (DTHR)  has  outpaced  the  average  funding  rate  of  increase  for 
mental  health  in  the  region.  DTHR's  expenditure  on  community-based  care  has 
actually  decreased  over  four  years. 

To  transform  Alberta's  mental  health  service  delivery  according  to  the 
principles  outlined  in  the  Provincial  Mental  Health  Plan,  RHAs  need  to  expand 
community-based  services.  The  high  cost  of  special  facility  operations  puts 
financial  pressure  on  the  RHAs'  community  programs.  If  facilities  are  truly 
provincial  resources,  a  funding  approach  that  treats  them  as  province-wide 
services  might  be  more  appropriate. 

About  2%  to  3%  of  mental  health  funding  comes  from  the  Innovation  Fund.  All 
RHAs  expressed  concern  how  to  continue  the  Innovation  Fund  projects  after 
2008-09  if  the  Department  were  to  cut  off  the  funding  source.  The  Department 
has  recently  annualized  this  funding,  so  the  concern  is  now  resolved.  However, 
it  is  another  example  of  the  RHAs'  uncertainty  about  long-term  funding. 

On  devolution  of  services  from  the  AMHB  to  the  RHAs,  service  providers 
worried  that  RHAs  might  redirect  mental  health  funding  to  prominent  health 
concerns  such  as  surgeries.  We  examined  the  RHAs'  budgeted  and  actual 
expenditures  from  devolution  to  2008.  All  RHAs  have  increased  their  mental 
health  budgets  and  expenditures  over  that  period.  Not  all  RHAs  matched  their 
mental  health  expenditure  rate  of  increase  to  their  overall  rate  of  increase  in 
health  expenditure,  but  none  have  reduced  their  mental  health  budget  over  the 
five  year  period. 


Strategic  mental 
health  plans  need 
to  be  updated 


Planning  and  Reporting 

The  2006-09  window  for  the  RHAs'  Regional  Mental  Health  Plans  is  coming 
to  an  end.  Like  the  Provincial  Mental  Health  Plan,  these  strategic  plans  should 
be  updated.  While  several  RHAs  told  us  they  were  starting  the  process  to  report 
against  their  strategic  plans,  only  Capital  has  updated  their  three  year  strategic 
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Annual  planning 
should  reflect 
mental  health's 
importance 


Mental  health 
planning  tends  to 
have  a  one-year 
horizon 


RHA 

accountability  for 
mental  health  is 
weak 


Performance 
measures 
numerous  but  of 
limited  value 


Impossible  to  tie 
costs  to  activities 
and  results 


plan  (now  covering  2008-10).  Capital  has  complemented  its  strategic  plan  with 
a  three-year  mental  health  budget. 

The  annual  three-year  Regional  Health  Plans  which  cover  all  RHA  activities  do 
not  contain  enough  information  to  allow  readers  to  determine  the  RHAs'  mental 
health  goals,  strategies  and  intended  results.  The  Regional  Health  Plan  should 
clarify  expectations  for  mental  health  for  the  three  years  covered  and  set  the 
foundation  for  system  accountability. 

We  are  concerned  that  mental  health  planning  tends  to  have  a  one-year  horizon. 
If  the  mental  health  system  is  to  be  transformed  in  accordance  with  the 
Provincial  Mental  Health  Plan,  the  RHAs'  three  year  strategic  Regional  Mental 
Health  Plans  should  be  updated  and  supported  by  three  year  budgets  that 
indicate  the  funding  necessary  to  achieve  the  transformation  initiatives. 

We  are  also  concerned  that  little  public  information  is  available  on  mental 
health  goals,  initiatives,  and  results.  Since  the  Regional  Health  Plans  have 
limited  information  about  mental  health,  the  corresponding  Annual  Reports  also 
contain  little  information  on  the  progress  of  mental  health.  The  mental  health 
portion  in  the  RHAs'  Annual  Reports  focuses  on  activity  levels  and  the 
introduction  of  new  programs.  It  needs  to  assess  the  results  of  the  mental  health 
service  delivery  system. 

The  performance  measures  in  the  Reports  do  not  add  much  clarity.  Broadly 
speaking,  measures  record  activity  levels  (e.g.  numbers  of  programs  or  Health 
Link  calls),  surveys  (e.g.  client  satisfaction  or  residents  reporting  good  mental 
health),  and  statistics  (e.g.  suicides  in  the  region).  Readers  will  find  it  difficult 
to  align  these  measures  with  the  RHAs'  goals  and  objectives.  RHAs  have  not 
set  quantifiable  targets  or  even  reported  actual  results  for  many  measures. 
RHAs  report  between  eight  and  25  measures  each  year,  but  they  change  their 
suite  of  measures  regularly  so  there  is  little  continuity  over  time.  A  stronger  and 
more  consistent  set  of  measures  across  the  province  would  enhance 
accountability. 

The  RHAs'  financial  statements  do  not  disclose  mental  health  costs  separately. 
As  a  result,  readers  of  the  Annual  Reports  cannot  match  costs  with  activities  and 
results.  External  readers  will  find  it  hard  to  assess  the  RHAs'  mental  health 
performance.  This  finding  parallels  our  Phase  I  work  where  we  recommended 
the  Department  of  Health  and  Wellness  and  the  Alberta  Mental  Health  Board 
strengthen  planning  and  reporting  and  ensure  a  sound  accountability  framework 
for  mental  health  in  Alberta. 
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Implications  and  risks  if  recommendation  not  implemented 

Without  longer  term  certainty  in  funding,  RHAs  are  not  encouraged  to  work 
towards  their  longer  term  plans.  It  is  difficult  to  achieve  systemic  change  with 
an  annual,  as  opposed  to  longer-range,  planning  and  budgeting  focus.  Without 
stronger  public  accountability,  there  is  a  risk  that  the  goals  of  the  Provincial 
Mental  Health  Plan  may  not  be  pursued  or  met  by  regional  service  providers. 

5.9  Aboriginal  and  suicide  priorities 
Recommendation 

We  recommend  that  the  Department  of  Health  and  Wellness  and  Alberta 
Health  Services  consider  whether  the  implementation  priority  for 
aboriginal  and  suicide  issues  is  appropriate  for  the  next  provincial  strategic 
mental  health  plan. 


Aboriginal  Mental 

Health 

Framework 


Background 

The  Provincial  Mental  Health  Plan  has  a  strong  aboriginal  component.  It 
advocates  community-based  strategies,  aboriginal  service  providers,  and 
culturally  appropriate  treatment.  The  Aboriginal  Mental  Health:  A  Framework 
for  Alberta,  published  in  2006 18,  reinforces  this  priority.  In  terms  of 
implementation,  the  Framework  offers  five  "Strategic  Directions":  service 
development;  human  resources;  research  and  evaluation;  funding;  and  data 
collection  and  information. 


A  Call  to  Action. 
Alberta's  suicide 
prevention 
strategy 


The  Provincial  Mental  Health  Plan  lists  suicide  prevention  as  an 
implementation  priority.  As  a  result,  the  AMHB  developed  A  Call  to  Action,  a 
2005  strategy  that  sets  targets  to  reduce  Alberta's  suicide  rate.  As  we  reported 
in  April  2008 19,  specific  funding  for  suicide  prevention  activities  (the  first  goal 
of  the  strategy)  has  not  been  secured.  We  concluded  that  while  some  RHA 
initiatives  had  gone  forward,  without  dedicated  funding  RHAs  may  not  be  able 
to  maintain  this  priority's  momentum. 


Not  clear  that 
mental  health 
initiatives  can 
produce  strategy 
results 


Our  audit  findings 

Having  examined  aboriginal  and  suicide  initiatives  across  the  province,  we 
conclude  the  RHAs  are  implementing  these  priorities  from  the  Provincial 
Mental  Health  Plan  and  its  subsidiary  plans.  While  the  RHAs  have  initiated 
worthwhile  programs  that  should  continue,  it  is  not  clear  that  pursuing  these 
aboriginal  and  suicide  initiatives  can  realize  the  goals  and  results  envisioned  in 
the  Plan.  So  many  factors  affect  aboriginal  mental  health  and  suicide 
behaviours  that  programs  by  mental  health  divisions  have  limited  impact.  As 


http://wvvw.amhb.ab.ca/Initiatives/aboriginal/Documents/AboriginaL%20%20Frarnework.pdf 

Our  report  is  available  at:  http://www.oag.ab.ca/files/oag/April_2008_Annual_Report.pdf,  pp.  89  and  90. 
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Uneven  progress 
on  Framework's 
objectives 


No  model  to 
deliver  integrated 
treatment 


On-reserve  service 
integration  needs 
to  develop 


we  reported  in  our  Phase  I  report  in  April  2008,  it  is  uncertain  whether  the 
RHAs  can  achieve  the  goals  of  the  provincial  strategy  through  their  initiatives. 

The  Aboriginal  Framework  does  not  specify  how  or  who  should  implement  its 
strategic  directions.  From  our  work  across  Alberta,  we  saw  uneven  progress  on 
this  priority.  Some  RHAs  with  small  aboriginal  and  Metis  populations  have  not 
implemented  the  strategies  suggested  in  the  Framework.  Some  RHAs  have 
hired  aboriginal  mental  health  workers  and  are  providing  aboriginal  cultural 
training  to  their  non-aboriginal  employees.  Some  are  also  adding  cultural 
activities  such  as  sweetgrass  ceremonies  to  their  programs.  However,  we  note 
three  challenges  that  threaten  the  success  of  the  Framework's  goals. 

From  our  examination  of  practices  in  Alberta  and  a  brief  review  of  practices 
internationally,  it  does  not  seem  that  anyone  has  developed  a  practical, 
evidence-based  model  to  integrate  modern  medical  treatments  with  traditional 
holistic  approaches. 

The  aboriginal  communities,  Health  Canada,  and  the  provincial  health  system  have 
not  resolved  the  jurisdictional  disputes  that  inhibit  integrated  service.  While  we 
identified  RHAs  where  individual  service  providers  go  on-reserve  to  deliver 
service,  we  did  not  see  evidence  of  integrated  mental  health  service  delivery  on- 
reserve. 


Lack  of  data  on 
aboriginal  mental 
health 


Suicide  prevention 
programs  and 
support 


Good  practice 


No  RHA  rigorously  collects  data  on  aboriginal  mental  health  issues.  Without  a 
system  of  data  collection,  RHAs  will  not  contribute  to  the  "need  for  more 
accurate  data  specific  to  the  Aboriginal  people"  as  advocated  in  the  Framework 
strategies. 

Our  field  work  across  Alberta  confirms  that  RHAs  have  responded  to  A  Call  to 
Action  by  introducing  a  variety  of  suicide  prevention  programs.  For  example, 
goals  3  and  4  of  A  Call  to  Action  encourage  improved  intervention  programs 
and  increased  support  for  those  affected  by  suicide.  All  RHAs  deliver  suicide 
prevention  programs  and  most  offer  post-vention  programs.  Not-for-profit 
organizations  deliver  many  of  these  programs. 

Goal  7  deals  with  surveillance  systems  that  collect,  analyze,  and  interpret 
suicide  data.  Calgary  studied  ten  years  of  its  own  statistics  for  clients  who 
committed  suicide  while  in  RHA  care.  They  found  their  statistics  closely 
mirrored  what  the  literature  says:  hospitalized  patients  are  at  greatest  risk 
shortly  after  their  discharge.  With  local  data  to  support  their  case,  Calgary 
developed  a  pilot  program  called  "Seven  Day  Follow  Up".  The  pilot  showed 
that  follow  up  improved  compliance  with  medication  and  therapy. 
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Difficult  to  assess 
effectiveness  of 
suicide  programs 


However  the  effectiveness  of  suicide  prevention  and  post-vention  programs  is 
still  not  clear.  For  example,  service  providers  debate  whether  the  Critical 
Incident  Stress  Management  (CISM)  model20  for  post-vention  is  effective. 
Some  RHAs  rely  on  CISM  while  others  point  to  research  that  suggests  it  may 
be  counterproductive  for  many  clients.  This  is  an  example  of  the  difficulty  in 
assessing  how  influential  mental  health  interventions  are  in  reducing  suicidal 
behaviour. 


Implications  and  risks  if  recommendation  not  implemented 

Unachievable  goals  and  targets  can  result  in  ineffective  strategies  and  cause 
resources  to  be  misallocated  among  mental  health  priorities.  Strategies  that 
cannot  be  measured  in  terms  of  their  contribution  to  goals  and  targets  make  it 
difficult  to  assess  their  success. 


CISM  is  a  process  designed  to  help  clients  reduce  the  chance  of  post-traumatic  stress  after  experiencing  a  disaster.  One  of 
the  disasters  to  which  CISM  responds  is  suicide  by  family,  friends,  or  colleagues. 
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Five  topics 
discussed  with 
service  users 


Difficult  access 
and  entry 


Identifying  needs 
and  getting 
diagnosed 


Limited  mental 
health  knowledge 
in  ERs 


Good  response 
when  mental 
health 

professionals  in 
ER 


Multiple  needs  not 
well  served 


Appendix  A: 

Summary  of  focus  groups  and  surveys 

Focus  groups  f 

We  summarize  service  users'  feedback  by  the  five  topics  discussed  in  our  focus 
groups-  hospital-based  services;  community-based  services;  housing  and 
supportive  living:  input  by  service  users  and  their  families;  and  progress  in 
implementing  the  Provincial  Mental  Health  Plan. 

Hospital-based  services  ... 
Almost  all  service  users  had  difficulty  accessing  hospital-based  mental  health 
services  and  the  mental  health  system  overall.  The  majority  of  service  users  said 
the  diagnosis  process  was  long  and  difficult.  Most  service  users  said  they  think 
their  family  physicians  have  limited  mental  health  knowledge  and  thus  are  not 
particularly  helpful  in  diagnosing  mental  illness  or  issues.  Most  family 
members  gave  accounts  of  being  dismissed  or  ignored  when  bringing  the 
mental  health  concerns  of  a  family  member  to  the  mental  health  practitioners. 

Almost  all  service  users  reported  barriers  in  their  initial  attempts  to  have  their 
mental  health  needs  recognized  and  addressed,  including  not  knowing  where  to 
go  for  mental  health  help  other  than  the  hospital  emergency  room  (ER)  or 
family  physician.  The  majority  of  service  users  reported  having  to  make  several 
visits  to  the  ER  or  to  the  family  physician  before  their  mental  health  needs  were 
recognized  as  mental  health  needs.  Almost  all  service  users  with  depression 
reported  having  difficulty  accessing  services  as  they  felt  that  their  concerns 
were  initially  downplayed  or  dismissed. 

Almost  all  service  users  depict  ER  staff  as  having  limited  or  no  knowledge 
about  mental  health  or  mental  illness.  Almost  all  service  users  believe  that 
mental  health  is  not  a  priority  for  the  ER;  this  limits  the  care  that  service  users 
receive  Almost  all  mental  health  service  users  feel  that  they  get  lost  in  the  ER 
as  there  is  no  standard  process  to  address  mental  health  needs.  There  is  no 
consistency  in  the  presence  of  mental  health  professionals  or  crisis  support 
within  the  ER. 

Where  mental  health  professionals  or  crisis  services  are  available  within  the  ER, 
service  users  reported  a  good  response  to  their  mental  health  needs.  However, 
mental  health  professionals  in  the  ER  are  the  exception  rather  than  the  rule 
through  most  regions. 

Almost  all  service  users  with  multiple  needs  reported  difficulty  obtaining 
services  to  address  their  full  range  of  needs.  In  general,  services  are  restricted  to 


Report  of  the  Auditor  General  of  Alberta— October  2008 


193 


Health  and  Wellness 


Alberta's  mental  health  service  delivery  system — Appendix  A 


the  mental  health  need  or  the  other  need  but  not  both.  Almost  all  service  users 
perceive  a  lack  of  coordination  across  services.  The  system  offers  limited  access 
to  collaborative  approaches  that  address  multiple  needs  (e.g.  concurrent 
disorder  treatment  coordinated  between  mental  health  and  AADAC) . 


Users  not  clear 
about  their 
treatment  plans 


Issues  with 
discharge  planning 


The  majority  of  service  users  who  had  been  inpatients  on  a  psychiatric  unit 
stated  they  felt  supported  in  their  care  and  were  positive  about  their  overall 
experience.  However,  almost  all  service  users  seemed  unclear  whether  they  had 
a  treatment  plan.  Most  service  users  indicated  that  treatment  plans  need  to  be  a 
team  effort  between  patient  and  professionals. 

Almost  all  service  users  noted  some  difficulty  with  the  transition  from  hospital 
to  community  at  some  point  in  their  experience.  Most  service  users  reported 
that  they  were  discharged  without  active  discharge  planning  (i.e.  without  being 
actively  connected  to  a  full  range  of  community  services) .  Several  service  users 
reported  that  being  actively  connected  to  community  services  and  programs 
upon  discharge  contributed  to  their  ability  to  remain  in  the  community.  Most 
service  users  note  that  discharge  referrals  relate  more  to  the  medical  and 
medication  aspects  of  the  illness  than  to  basic  needs  and  supports  such  as 
housing,  income,  employment,  recreation  and  so  on.  Most  family  members 
talked  about  not  being  included  in  discussions  or  planning  while  their  family 
was  in  hospital.  However  once  it  was  time  for  discharge  family  members  were 
identified  as  the  sole  source  of  support. 


Service  users 
pleased  with  the 
services  they 
currently  receive 


24/7  crisis 
response  not 
commonly 
available 


Community-based  services 

The  majority  of  service  users  said  they  were  pleased  to  get  community  mental 
health  services  and  were  conscious  of  the  pressures  on  the  service  delivery 
system.  Almost  all  service  users  said  they  want  to  be  supported  to  stay  in  the 
community.  All  service  users  view  community  mental  health  services  and 
programs  as  the  "backbone"  of  the  mental  health  system  and  believe  that  the 
concentration  of  resources  should  be  in  the  community.  Almost  all  service  users 
are  pleased  with  their  mental  health  services  when  they  are  supported  by 
outreach  services.  However,  they  do  not  think  they  get  all  the  services  they  need 
in  the  community. 

Almost  all  service  users  prefer  mental  health  crisis  services  that  focus  on 
helping  people  remain  in  the  community  without  having  to  go  to  hospital.  Most 
service  users  noted  that  crisis  services  available  on  a  24  hour,  seven  days  a 
week  basis  are  currently  not  available  in  all  regions  or  across  all  regions.  The 
majority  of  service  users  would  like  community-based  crisis  services  on  a  24/7 
basis. 
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Case  management 
not  generally 
available 


Most  if  not  all  service  users  feel  they  could  benefit  from  case  management  or 
system  navigation;  both  services  are  not  seen  as  generally  available  Mom 
service  users  said  if  they  had  a  treatment  or  service  plan  in  place,  they  were  not 
aware  of  it. 


Outreach 
programs  key  to 
community  living 


Limited  services 
going  out  to  the 
service  user 


Limited 
coordination  of 
services 


Most  service  users  believe  that  outreach  supports  that  are  flexible  and  address 
individual  needs  are  key  to  staying  healthy  and  in  the  community.  Several 
service  users  stated  that  they  are  not  able  to  access  outreach  services  even 
though  they  feel  they  would  benefit  from  these  services.  Most  service  users  note 
they  rely  heavily  on  community  agencies  for  a  broad  range  of  peer  support  and 
advocacy  activities. 

Almost  all  service  users  acknowledge  the  importance  of  addressing  basic  needs 
as  part  of  improving  their  mental  health.  In  addition  to  housing  and  supportive 
living,  service  users  identified  income  support  and  assistance  with  employment 
programs  as  valuable.  Most  individuals  reported  that  they  were  seeing  a 
therapist  at  a  community  mental  health  clinic  and/or  a  psychiatrist  on  a  regular 
basis,  and  this  was  often  all  they  were  accessing.  They  were  for  the  most  part 
happy  to  have  these  therapeutic  services  but  many  noted  they  would  like  to 
access  other  options. 

Most  service  users  identify  a  lack  of  consistency  in  service  options  across 
regions  as  well  as  within  regions.  Most  service  users  reported  that  there  is 
limited  coordination  between  services  and  programs.  Most  service  users 
identified  a  lack  of  awareness  and  even  confusion  about  available  services  and 
how  to  access  them. 


Problems  in 
housing 


Support  delivered 
to  their  homes  is 
critical 


Housing  and  supportive  living 

Most  service  users  in  the  focus  groups  had  housing  options.  Some  service  users 
emphasized  there  are  very  limited  housing  options  for  individuals  known  to 
have  mental  illness  and  or  to  be  on  income  support.  Very  few  service  users  had 
help  from  the  mental  health  system  in  acquiring  housing. 

Where  service  users  have  supports  going  to  their  home,  they  are  extremely 
pleased  and  feel  able  to  stay  well.  Most  service  users  noted  supportive  living 
options  are  limited  and  difficult  to  access.  Almost  all  service  users  state  that 
having  supports  provided  where  they  live  is  more  helpful  than  any  other  service 
in  dealing  with  their  mental  illness. 
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C 


Service  users  not 
asked  for  their 
input 


Input  by  service  users  and  their  families 

Almost  all  of  the  service  users  do  not  feel  that  they  are  involved  in  or  asked  for 
input  about  the  care  and  treatment  they  receive  from  the  mental  health  system. 
Except  for  six  of  the  103  attending,  service  users  have  not  been  asked  for  input 
from  the  regional  health  authorities  in  either  satisfaction  surveys  or  providing 
input  into  program  delivery  or  design. 


Little  has  changed 


Progress  in  implementing  the  Provincial  Mental  Health  Plan 

Almost  all  service  users  thought  that  little  has  changed  since  the  release  of  the 

Provincial  Mental  Health  Plan  more  than  four  years  ago. 


Structure  of 
survey  responses 


Surveys 

Our  survey  questions  required  the  following  types  of  response:  yes  or  no; 
defined  levels  of  activity  (e.g.  0  to  1%;  2  to  25%;  26  to  50%;  etc.);  selection 
from  a  list  of  suggested  answers  (where  one  or  more  answers  were  permitted, 
depending  on  the  question) ;  and  a  five-point  scale  where  1  =  strongly  agree, 
2  =  agree,  3  =  neutral,  4  =  disagree,  and  5  =  strongly  disagree. 


We  surveyed  13 
AMA  sections 


Three  parts  to  our 

survey: 

demographic, 

practice, 

coordination 


Demographic 
information 


Physicians 

The  three  psychiatric  specialties  amongst  the  13  surveyed  AMA  sections  were: 
general  psychiatry;  child  and  adolescent  psychiatry;  and  generalists  in  mental 
health.  The  ten  of  13  sections  that  were  not  psychiatric  specialists  (in 
descending  number  of  responses  in  our  survey)  were:  general  practice;  rural 
medicine;  emergency  medicine;  pediatrics;  internal  medicine;  obstetrics  and 
gynecology;  neurology;  addiction  medicine;  community  health;  and 
occupational  medicine. 

We  divided  the  survey  into  three  parts.  We  first  asked  for  demographic 
information  about  the  physician  (e.g.  where  he  worked,  whether  he  is  a  member 
in  a  primary  care  network).  The  second  part  focused  on  the  physician's  practice 
(e.g.  whether  demand  for  mental  health  services  has  increased,  what  type  of 
mental  health  work  is  provided) .  The  last  part  focused  on  coordinated  mental 
health  service  delivery  (e.g.  whether  the  physician  had  timely  access  to  experts 
or  community  services) . 

About  38%  of  respondents  were  general  practitioners;  28%  were  psychiatric 
specialists;  almost  10%  were  emergency  medicine  physicians;  the  remaining 
24%  were  distributed  amongst  the  other  10  AMA  sections.  About  one-third 
practised  in  the  Calgary  Health  Region,  about  one-third  in  Capital,  and  the 
remaining  third  around  the  province.  About  one-third  were  members  of  a 
primary  care  network. 
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Practice 
information 


Importance  of 
coordinated 
service  between 
physicians  and 
RHAs 


Physicians  not 
satisfied  with 
RHA  services 


Physicians  reported  their  patients  had  mental  health  issues  at  the  rate  suggested 
by  mental  health  literature.  Specialists'  practices  deal  solely  with  mental  health 
patients;  the  other  sections  report  that  up  to  50%  of  their  patients  have  mental 
health  issues.  Physicians,  both  psychiatric  specialists  and  others,  spend  about 
half  their  time  allotted  to  mental  health  patients  assessing  and  diagnosing,  while 
about  a  quarter  of  their  time  with  these  patients  goes  to  non-medical 
interventions  such  as  therapy.  Physicians  report  that  demand  for  mental  health 
services  has  increased  in  the  past  three  years  and  two-thirds  of  physicians  have 
taken  some  form  of  mental  health  training  in  that  time  frame. 

To  the  question,  "To  which  service  providers  do  you  refer  patients  with  mental 
health  issues?",  the  most  frequent  answer  was  to  community  mental  health 
clinics  and  outpatient  programs.  The  second  most  frequent  was  psychiatrists 
while  the  third  was  other  RHA  mental  health  services.  Community  mental 
health  clinics  and  outpatient  programs  was  also  the  most  frequent  answer  to  the 
question,  "With  which  service  providers  would  you  like  to  have  a  closer 
working  relationship?"  These  responses  indicate  the  importance  of  coordinated 
service  between  physicians  and  the  RHAs'  mental  health  programs. 

More  than  60%  of  respondents  disagree  or  disagree  strongly  with  the  statement, 
"I  am  satisfied  with  the  local  support/specialist  mental  health  services  in  my 
RHA".  The  psychiatric  specialists  and  emergency  physicians  are  more  likely  to 
agree  or  strongly  agree  with  that  statement  but  still  indicate  disagreement  at 
rates  above  50%. 


Physicians  have 
concerns  with 
aspects  of 
coordination 


On  a  series  of  questions  about  particular  mental  health  issues,  physicians 
indicated  their  concern.  We  list  the  issues  relevant  to  our  audit  findings, 
followed  in  parentheses  by  the  percent  of  those  agreeing  (agree  or  strongly 
agree)  and  disagreeing  (disagree  or  strongly  disagree)  that  the  issue  is 
adequately  handled. 

•  Access  to  specialists  is  timely  (14  %  agree;  72%  disagree); 

•  Case  management  and  community  follow-up  are  adequate  (8%  agree; 
70%  disagree) ; 

•  Appropriate  mental  health  community  treatment  programs  are  available 
(14%  agree;  60%  disagree); 

•  Appropriate  housing  options  are  available  (3%  agree;  74%  disagree); 

•  Mental  health  service  delivery  in  Alberta  has  improved  in  the  last  three 
years  (17%  agree;  45%  disagree). 
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Three  parts  to  our 

survey: 

demographic, 

coordination, 

service  delivery 

gaps 


Demographic 
information 


Practice 
information 


Importance  of 
accessing  a 
continuum  of 
mental  health 
expertise 


Continued  need  to 
provide 

information  about 
mental  health 


services 


Psychologists 

We  divided  the  survey  into  three  parts.  We  first  asked  for  details  about  where 
and  how  the  psychologist  delivers  his  services.  The  second  focused  on  the 
psychologist's  view  of  coordination  and  collaboration  in  the  mental  health 
system  and  his  relationships  with  other  service  providers.  The  third  focused  on 
systemic  mental  health  service  delivery  gaps  of  concern  to  the  psychologist 
(e.g.  whether  appropriate  housing  options  are  available  or  access  to  mental 
health  specialists  is  timely). 

About  40%  of  respondents  worked  in  the  Calgary  Health  Region;  38%  worked 
in  Capital.  The  remaining  22%  were  distributed  between  the  other  7  RHAs. 
Amongst  the  respondents,  about  33%  identified  themselves  as  primarily  being 
in  private  practice;  15%  worked  in  RHA  community  mental  health  clinics  or 
other  RHA  community  services;  13%  worked  in  the  school  system;  11% 
worked  in  hospitals.  The  remaining  28%  worked  in  the  forensic  system,  for 
federal  government  or  not-for-profit  organizations,  or  in  other  areas. 

When  dealing  with  mental  health  clients,  about  67%  of  respondents  indicated 
most  of  their  effort  was  spent  providing  treatments  (e.g.  therapy,  counselling) ; 
just  over  20%  indicated  they  spent  most  of  their  time  assessing  and  diagnosing 
clients.  Just  over  half  of  the  respondents  indicated  demand  for  mental  health 
services  in  their  practice  had  increased  significantly  in  the  past  three  years. 

To  the  question,  "To  which  of  the  following  service  providers  do  you  refer 
mental  health  clients?",  psychologists  singled  out  three  in  particular.  67%  of 
respondents  identified  psychiatrists,  65%  listed  other  psychologists  (i.e. 
specialists  in  different  types  of  therapy),  and  62%  named  community  mental 
health  clinics  and  outpatient  centres.  67%  of  respondents  identified  outpatient 
and  community  treatment  programs  as  the  organization  or  service  provider  with 
which  they  would  like  to  have  a  closer  working  relationship  around  mental 
health  cases.  These  responses  demonstrate  psychologists'  reliance  on  access  to 
a  continuum  of  mental  health  care  in  treating  their  clients. 

More  than  57%  of  respondents  disagree  or  strongly  disagree  with  the  statement 
"I  receive  adequate  information  about  mental  health  resources  available  in  my 
health  region",  while  26%  either  agree  or  strongly  agree.  To  the  question,  "I 
receive  sufficient  information  via  systematic  updates  about  available  mental 
health  services  and  programs  from  other  organizations  and  service  providers", 
almost  70%  of  respondents  disagree  or  strongly  disagree  while  only  17%  agree 
or  strongly  agree.  These  results  suggest  there  is  room  for  improvement  by 
Alberta  Health  Services  and  regional  managers  in  disseminating  information 
about  available  mental  health  services. 
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Psychologists 
have  concerns 
with  aspects  of  the 
mental  health 
system 


On  a  series  of  questions  about  particular  mental  health  issues,  psychologists 
indicated  their  concern.  We  list  the  issues  relevant  to  our  audit  findings, 
followed  in  parentheses  by  the  percent  of  those  agreeing  (agree  or  strongly 
agree)  and  disagreeing  (disagree  or  strongly  disagree)  that  the  issue  is 
adequately  handled. 

•  Access  to  specialists  is  timely  (13%  agree;  82%  disagree); 

•  Case  management  and  community  follow-up  are  adequate  (7%  agree;  78% 
disagree) ; 

•  Appropriate  mental  health  community  treatment  programs  are  available 
(14%  agree;  73%  disagree); 

•  Communication  between  service  providers  is  adequate  (11%  agree;  69% 

disagree) ; 

•  Appropriate  housing  options  are  available  (3%  agree;  74%  disagree) ; 

•  Service  delivery  coordination  for  mental  health  in  Alberta  has  improved  in 
the  last  three  years  (15%  agree;  51%  disagree). 
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Three  interrelated 
audit  objectives 


Appendix  B: 

Our  audit  approach 

Audit  objectives 

For  Phase  II  of  our  mental  health  audit,  we  examined  aspects  of  mental  health 
service  delivery  in  the  nine  regional  health  authorities  (RHAs).  We  had  three 
interrelated  objectives  for  our  work.  We  wanted  to  determine  whether: 

•  there  is  a  functioning  mental  health  continuum  of  care  for  mental  health 
clients  and  patients  in  every  region  of  the  province,  all  other  factors  such  as 
geographic  size  and  population  differences  being  equal; 

•  the  RHAs  are  actively  implementing  the  principles  of  the  Provincial  Mental 
Health  Plan; 

•  we  could  identify  good  practices  in  mental  health  service  delivery. 


Sampled  seven 
components 
within  mental 
health 


Audit  scope 

We  could  not  examine  everything  in  a  field  as  vast  as  mental  health.  To 
maintain  a  manageable  scope,  we  audited  RHA  service  delivery  only1.  Within 
the  RHAs'  service  delivery,  we  sampled  and  sub-sampled  programs2.  From  our 
knowledge-of-business  and  Phase  I  work,  we  categorized  22  mental  health 
"components"  or  program  areas.  These  included  components  such  as  child  and 
adolescent  mental  health,  senior's  mental  health,  forensic  mental  health, 
funding  models,  and  collaborative  services.  Of  these  22,  we  chose  seven 
components  that  would  give  us  sufficient  coverage  of  mental  health.  The  seven 
are: 

•  Hospital-based  programs  (only  systems  related  to  length  of  stay, 
emergency  room  mental  health  protocols,  and  discharge  planning); 

•  Community-based  programs  (our  largest  component  of  work  dealing  with 
aspects  of  intake,  assessment,  crisis  intervention,  treatment,  discharge,  and 
information  systems) ; 

•  Housing  and  supportive  living; 

•  Concurrent  programs  (i.e.  clients  with  addiction  as  well  as  mental  health 

issues) ; 

•  Planning  and  reporting  systems; 

•  Aboriginal  mental  health; 

•  Suicide  prevention. 


1  Other  Alberta  government  ministries  deliver  mental  health  services.  For  example,  the  education  system  offers  services  to 
students,  the  correction  system  offers  services  to  prisoners,  etc. 

2  This  included  direct  service  delivery  by  the  RHA  and  services  delivered  by  contracted  agencies. 
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Audit  period  was 
2007-08 


Six  RHAs  audited 
in  detail;  three 
reviewed 


Even  within  these  seven  components,  we  could  not  audit  everything.  We  further 
refined  our  scope  by  concentrating  on  adult  programs  only.  As  well,  we  sub- 
sampled  within  each  component  when  RHAs  had  multiple  adult  programs 

With  this  scope,  we  did  not  audit  a  wide  swath  of  mental  health  programs. 
However,  the  scope  of  what  we  covered  provides  us  with  sufficient  appropriate 
audit  evidence  on  which  to  base  our  conclusions.  To  give  a  taste  of  how  broad 
the  scope  of  mental  health  is,  here  is  a  partial  list  of  exclusions  from  our  audit: 

•  Geriatric  programs; 

•  Children  and  adolescents'  programs; 

•  Forensic  programs; 

.     Specialized  mental  health  facilities  such  as  Ponoka's  Centennial  Centre,  the 
Claresholm  Care  Centre,  or  Alberta  Hospital  Edmonton. 

In  particular,  we  did  not  question  the  treatments  prescribed  by  doctors, 
psychologists,  and  therapists.  We  audited  the  systems  that  support  the  work  of 
the  mental  health  professionals. 

Our  audit  period  was  April  2007  through  March  2008.  When  we  drew  samples, 
we  defined  our  population  as  2007-08  or  a  portion  thereof.  We  completed  the 
work  at  the  RHAs  and,  where  services  were  outsourced  to  not-for-profit 
organizations,  at  those  organizations.  We  also  sought  the  feedback  of 
psychiatrists  and  psychologists  through  survey  as  well  as  mental  health  clients 
through  focus  groups.  This  feedback  provided  us  with  corroborating  evidence 
that  we  have  used  throughout  this  report. 

RHA  visits 

We  visited  all  nine  RHAs  over  a  period  of  13  weeks  from  April  to  July  2008. 
We  performed  audit  quality  work  at  six  of  the  RHAs:  Chinook,  Calgary,  David 
Thompson,  East  Central,  Capital,  and  Peace.  We  had  two  audit  teams  in  the 
field  at  once.  Our  three-  or  four-person  teams  spent  at  least  two  weeks  at  the 
smaller  RHAs  and  three  weeks  at  Calgary  and  Capital.  We  performed  review 
quality  work  at  the  remaining  three  RHAs:  Palliser,  Aspen,  and  Northern 
Lights.  In  these  visits,  a  two-person  team  spent  two  days  in  each  RHA. 

The  difference  between  audit  quality  and  review  quality  is  the  extent  of  work, 
the  quality  and  quantity  of  evidence,  and  therefore  the  level  of  assurance  we 
have  in  drawing  conclusions  and  making  recommendations.  We  summarize  our 
work  below. 


Report  of  the  Auditor  General  of  Alberta— October  2008 


201 


Health  and  Wellness 


Alberta's  mental  health  service  delivery  system — Appendix  B 


Audit  visits 

At  each  RHA,  mental  health  management  had  organized  extensive 
documentation  of  their  systems  and  organization.  We  reviewed  this  information 
and  interviewed  management  and  workers  to  confirm  our  understanding  of 
those  systems.  We  examined  patient  files  in  the  hospitals  and  clinics.  Our 
sampling  methodology  was  judgmental  and  purposeful. 

In  the  major  city  in  each  of  the  six  RHAs,  we: 

•  Visited  a  city  hospital.  In  Calgary  and  Capital,  we  chose  one  hospital  of  the 
three  or  four  city  hospitals  (respectively)  that  have  psychiatric  units.  In  all 
cases  but  Camrose  in  East  Central,  the  hospital  we  visited  is  a  designated 
facility  under  the  Mental  Health  Act.  At  each  of  these  hospitals,  we 
interviewed  emergency  room  (ER)  and  psychiatric  unit  staff  and  toured  the 
facilities. 

•  Examined  132  inpatient  files  in  total.  We  sampled  from  discharges  between 
April  1,  2007  and  March  31,  2008. 

•  Examined  82  inpatient  files  for  ER  visits  whose  primary  diagnosis  was 
mental  health.  We  sampled  from  visits  between  October  1,  2007  and 
March  31,  2008. 

•  Visited  one  mental  health  clinic,  interviewed  staff,  toured  the  facility,  and 
observed  processes  such  as  scheduling  appointments,  data  entry,  and  case 
conferences. 

•  Examined  131  client  files  from  the  adult  short  term  program,  as  every  RHA 
has  such  a  program. 

•  Examined  16  client  files  from  a  selection  of  other  adult  programs  offered. 
In  the  larger  RHAs,  there  are  programs  other  than  adult  short  term  (e.g. 
ACT,  outreach,  and  community  extension). 

•  Interviewed  a  selection  of  not-for-profit  organizations  contracted  by  the 
RHAs  to  deliver  mental  health  services. 

•  Collected  summary  statistics  as  consistently  as  we  could,  given  the 
differences  in  computerized  information  systems  and  operational  practices 
across  the  province.  We  also  verified  the  completeness  and  accuracy  of 
data  on  those  systems  by  tracing  sample  information  in  the  inpatient/client 
files  to  the  computer  system. 

During  each  of  the  six  RHA  visits,  we  selected  a  smaller  town  in  which  the 
RHA  has  a  mental  health  clinic.  During  a  one-day  visit  to  that  town,  we: 

•  Visited  the  local  hospital  and  interviewed  ER  staff.  These  hospitals  did  not 
have  a  psychiatric  unit. 

•  Examined  57  inpatient  files  of  ER  visits  whose  primary  diagnosis  was 
mental  health.  We  sampled  from  visits  between  October  1 ,  2007  and 
March  31,  2008. 
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•  Visited  the  local  mental  health  c  linic  and  interviewed  staff. 

•  Examined  55  client  files  from  the  clinic. 

Review  visits 

At  each  of  the  three  RHAs  we  visited,  mental  health  management  had  organized 
extensive  documentation  of  their  systems  and  organization.  We  reviewed  this 
material  and  interviewed  management  and  workers  to  confirm  our 
understanding  of  those  systems.  We  reviewed  patient  or  client  files  in  the 
hospitals  and  clinics  only  to  confirm  our  understanding  of  systems. 

Focus  groups 

The  work  described  above  took  place  in  the  RHAs'  premises.  We  also  wanted 
to  obtain  the  opinions  of  mental  health  service  users  and  their  families.  We 
accomplished  this  through  focus  groups  held  around  Alberta.  We  divided  the 
province  into  five  regions  (south,  Calgary,  central,  Edmonton,  and  north)  and 
performed  a  series  of  focus  groups  in  each  region.  In  total,  we  held  24  focus 
groups  with  1 18  participants,  103  of  whom  were  service  users  and  15  family 
members.  We  summarize  the  results  in  Appendix  A. 

Surveys 

We  also  wanted  feedback  from  professional  groups  that  play  a  key  role  in 
delivering  mental  health  services  in  Alberta.  During  our  RHA  visits,  we  met 
many  administrators,  nurses,  social  workers,  and  outreach  workers  in  the  mental 
health  field.  We  did  not  have  the  opportunity  to  meet  as  many  physicians  or 
psychologists.  As  well,  these  two  professions  offer  many  of  the  mental  health 
services  offered  outside  the  RHA.  For  example,  general  practitioners  are  often 
the  first  point  of  contact  for  people  with  a  mental  illness.  We  surveyed  these 
two  professions.  We  summarize  the  results  of  our  two  surveys  in  Appendix  A. 

Physicians 

We  arranged  our  survey  with  the  assistance  of  the  Alberta  Medical  Association 
(AMA).  The  AMA  categorizes  its  members  by  sections;  a  section  is  an  area  of 
practice  such  as  general  practice,  internal  medicine,  or  general  psychiatry.  We 
selected  13  of  these  sections  because  they  play  a  role  in  mental  health.  Broadly 
speaking,  we  targeted  two  groups  of  sections.  Psychiatrists,  child  and 
adolescent  psychiatrists,  and  general  practitioners  with  a  special  interest  in 
psychiatry  comprise  the  mental  health  specialist  group.  The  other  ten  sections 
we  surveyed  (e.g.  emergency  room  practitioners,  internists,  and  pediatricians) 
deal  regularly  with  mental  health  patients.  We  conducted  our  survey 
electronically  over  the  Internet. 
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We  prepared  a  survey  of  38  questions,  vetting  our  questions  with  the  Alberta 
Mental  Health  Board  and  Department  of  Health  and  Wellness.  We  conducted 
the  survey  in  January  2008.  We  invited  3072  physicians  to  participate  and  462 
responded  for  a  response  rate  of  15%.  This  response  yields  data  accurate  to 
within  +/-  4.2%  at  a  confidence  level  of  95%. 

Psychologists 

We  arranged  this  survey  with  the  assistance  of  the  College  of  Alberta 
Psychologists.  We  prepared  a  survey  of  32  questions.  We  conducted  the  survey 
in  June  2008.  A  total  of  2000  psychologists  were  invited  to  participate  via  a 
mail  out  request.  Respondents  replied  by  accessing  a  website  and  completing 
the  survey  online.  354  psychologists  responded  for  a  response  rate  of  17.7%. 
This  response  yields  data  accurate  to  within  +/-  4.73%  at  a  confidence  level  of 
95%. 


Component-by-component  audit  criteria 

For  each  of  our  seven  selected  components,  we  created  criteria  to  guide  our 
work.  Here  are  the  criteria  we  applied  throughout  the  audit. 

Hospital-based  programs 

Hospital  emergency  rooms  should  be  prepared  for  mental  health  cases. 
There  should  be  systems  to  monitor  and  act  on  length  of  stay  and  related 
measures. 

There  should  be  systems  to  plan  inpatient  discharge  to  facilitate  successful 
transition. 


Community-based  programs 

There  should  be  systems  to  triage  and  intake  mental  health  clients. 
There  should  be  systems  to  provide  mental  health  crisis  intervention. 
There  should  be  systems  to  assess  mental  health  clients  shortly  after  intake. 
There  should  be  systems  to  treat  mental  health  clients  in  the  community. 
There  should  be  systems  to  promote  continuity  of  care  on  discharge. 
Information  systems  should  capture  data  completely,  accurately,  and  on  a 
timely  basis. 

Housing  and  supportive  living 

The  RHA  should  have  systems  to  determine  the  supply  and  demand  for  housing 
and  supports  for  the  mentally  ill. 

The  RHA  should  collaborate  with  service  providers  to  develop  mental  health 
housing  and  supports. 

The  RHA  should  have  systems  to  ensure  housing  services  for  its  clients  are  safe 
and  appropriate. 


204 


Report  of  the  Auditor  General  of  Alberta— October  2008 


Health  and  Wellness 


Alberta's  mental  health  service  delivery  system— Appendix  B 


There  should  be  systems  to  link  the  mentally  ill  with  housing  service  providers. 
Concurrent  disorders 

The  RHA  should  have  strategies  to  assist  clients  with  concurrent  disorders. 
RHA  staff  dealing  with  clients  with  concurrent  mental  health  and  substance 
abuse  issues  should  have  multi  faceted  assessment  and  intervention  training. 
The  RHA  should  collaborate  with  AADAC  and  its  funded  agencies  to  offer  an 
integrated  and  continuing  treatment  service  delivery  for  clients  with  concurrent 
mental  health  and  drug  and  alcohol  issues. 

Planning  and  reporting 

The  RHA's  mental  health  planning  should  be  consistent  with  the  Provincial 
Mental  Health  Plan  and  indicate  the  strategies  and  activities  necessary  to 
achieve  results. 

Budgeting  should  be  integrated  with  mental  health  planning  so  that  planned 
strategies  and  activities  are  resourced. 

The  RHA's  mental  health  reporting  (both  internal  and  external)  should  satisfy 
the  accountability  requirements  for  those  reporting. 

Mental  health  information  systems  should  make  summary  information  available 
to  staff  who  need  it. 

Aboriginal  mental  health 

The  RHA  should  have  strategies  to  address  aboriginal  mental  health  issues. 

The  RHA  should  have  aboriginal  mental  health  employees. 

There  should  be  systems  to  familiarize  RHA  staff  with  aboriginal  cultural 

needs. 

The  RHA  should  have  programs  for  aboriginals  with  mental  health  issues. 
The  RHA's  information  systems  should,  on  a  voluntary  basis,  record  aboriginal 
ethnicity. 

The  RHA  should  collaborate  with  other  service  providers  offering  aboriginal 
mental  health  programs. 

Suicide  prevention 

The  RHA  should  have  suicide  prevention  strategies  for  its  region. 

RHA  staff  working  with  mental  health  patients  identified  as  being  at  risk  of 

suicide  should  have  risk  assessment  training. 

The  RHA  should  have  suicide  prevention  programs. 

The  RHA  should  collaborate  with  external  agencies,  boards,  and  organizations 
that  have  established  suicide  support  and  prevention  programs  to  provide  an 
integrated  service  for  clients  at  risk  of  or  suffering  from  the  impact  of  suicide. 
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Government  of  Alberta  and  Ministry  Annual  Reports 


Unqualified 
auditor's  report 


Government  of  Alberta  and  Ministry 
Annual  Reports 

Performance  reporting 

Financial  statements 

Our  auditor's  report  on  the  Government  of  Alberta's  consolidated  financial 
statements  for  the  year  ended  March  31.  2008  is  unqualified. 

We  are  satisfied  that  the  transactions  and  activities  we  examined  in  financial 
statement  audits  complied  with  relevant  legislative  requirements.  As  auditors,  we 
test  only  some  transactions  and  activities,  so  we  caution  readers  that  it  would  be 
inappropriate  to  conclude  that  our  testing  would  identify  all  transactions  and 
activities  that  do  not  comply  with  the  law. 

We  issued  unqualified  auditor's  reports  on  ministry  financial  statements  for  the  year 
ended  March  31,  2008,  with  one  exception. 

Qualified  opinions   We  issued  a  qualified  opinion  on  the  Ministry  of  Environment's  financial 

statements— see  page  263.  We  did  not  express  an  opinion  on  the  Climate  Change 
and  Emissions  Management  Fund— see  page  262. 

We  issued  a  qualified  audit  opinion  on  the  Olympic  Oval/Anneau  Olympique, 
operated  by  the  University  of  Calgary— see  page  236. 


Crown-controlled 
SUCH  sector 
organizations 


The  consolidated  financial  statements  include  the  financial  results  of  Crown- 
controlled  SUCH  sector  organizations  using  the  modified  equity  basis  of 
accounting.  SUCH  is  an  acronym  for  schools,  universities,  colleges  and  hospitals, 
but  the  term  is  used  to  describe  a  much  broader  list  of  organizations,  including 
school  boards,  technical  institutes,  regional  health  authorities,  and  other  health 
boards. 

In  accordance  with  accounting  standards,  for  the  year  ending  March  31,  2009  the 
government  will  use  line-by-line  consolidation  for  SUCH  sector  organizations. 

Under  line-by-line  consolidation,  the  government's  capital  assets  would  have  been 
fully  consolidated,  so  net  assets  at  March  31,  2008  would  have  increased  by 
approximately  $12  billion. 
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One  exception  in 
our  report  on 
Measuring  Up 


Performance  measures 

We  found  one  exception  when  we  applied  specified  auditing  procedures  to  the 
performance  measures  in  Measuring  Up.  There  was  no  data  reported  for  the 
measure  Physical  Condition  of  Learning  Facilities— Schools  in  good,  fair,  or  poor 
condition.  Infrastructure  management  was  unable  to  provide  complete  data  for 
schools  in  time  for  reporting  in  Measuring  Up  in  June  2008.  As  a  result,  we  could 
not  complete  our  specified  auditing  procedures  for  this  measure. 


Exceptions  in  our 
reports  for  two 
ministries 


We  found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
performance  information  in  the  2007-2008  ministry  annual  reports  for  18  ministries. 
However,  our  reports  for  two  ministries  (Advanced  Education  and  Technology  and 
Infrastructure  and  Transportation)  noted  exceptions.  These  exceptions  are  described 
in  the  sections  for  those  ministries  in  this  Report. 


208 


Report  of  the  Auditor  General  of  Alberta— October  2008 


Advanced  Education  and 
Technology 

Summary  of  our  recommendations 

The  University  of  Alberta  should: 

provide  increased  levels  of  detail  on  investments  to  the  Investment  Committee 
to  facilitate  the  monitoring  of  the  University's  investments-see  page  211. 
implement  approval  procedures  for  new  investment  vehicles-see  page  211. 

The  University  of  Calgary  should: 

improve  the  effectiveness  of  its  decentralized  control  environment-see 

page  213 

improve  controls  over  the  approvals  and  documentation  for  journal  entries-see 

page  217.  , 
improve  controls  over  the  approval  of  transactions  for  its  internally  managed 

investments— see  page  221. 

comply  with  the  Post-Secondary  Learning  Act  by  seeking  approval  of  the 
Lieutenant  Governor  in  Council  before  engaging  in  housing  loan  guarantee 
transactions— see  page  222. 

We  repeated  our  recommendations  that  the  University  of  Calgary  improve  controls 
over  payroll  functions-see  page  216.  and  PeopleSoft  security-see  page  219. 

The  University  of  Lethbridge  should  improve  its  year-end  processes  to  ensure  the 
preparation  of  complete  and  accurate  financial  statements— see  page  223. 

The  University  of  Lethbridge  should: 

.     clearly  define  and  communicate  the  financial  research-management  roles  and 
responsibilities  of  Research  Services,  Financial  Services,  and  Deans-see 
page  225. 

.    ensure  that  financial  research  policies  are  current  and  comprehensive-see 
page  227. 

.  maintain  proper  documentation  for  approving  research  accounts-see  page  U  l . 
.     ensure  that  researchers,  research  administrators  and  Financial  Services  staff  are 

aware  of  changes  to  financial  policies  and  are  properly  trained  to  comply  with 

the  policies— see  page  227. 
.     periodically  report  to  the  Board  of  Governors  key  information  on  financial  risks 

in  research  management— see  page  231. 
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Alberta's  four  universities,  together  with  the  Department  of  Advanced  Education 
and  Technology,  should  continue  to  work  together  to  review  the  accounting 
treatment  for  the  unfunded  liability  of  the  Universities  Academic  Pension  Plan— see 

page  232. 

The  Alberta  Heritage  Foundation  for  Science  and  Engineering  Research  should 
implement  our  recommendation  on  IT  control  frameworks  as  described  on 
page  5 1 . 


Our  audit  findings  and  recommendations 

1 .    Effective  monitoring  of  employers  providing  apprenticeship  training — 
implemented 

In  our  2005-2006  Annual  Report  (No.  23),  we  recommended  that  the 
Department  of  Advanced  Education  and  Technology  improve  its  monitoring  of 
employers  providing  apprenticeship  training.  We  also  recommended  on  page  12 
of  that  report,  that  the  Department  select  which  employers  to  visit  based  on  the 
likelihood  of  identifying  apprentice  training  opportunities  and  problems  at 
worksites. 


The  Department 
has  processes  to 
improve  the 
accuracy  of  the 
database 


Our  audit  findings 

Database  accuracy — The  Department  reviewed  its  database  of  employers  to 
identify  and  correct  inaccuracies,  and  clarified  instructions  to  field  staff  on  how 
the  classifications  of  active,  inactive  and  out-of-business  are  to  be  used.  We 
found  substantially  fewer  errors  than  in  prior  years;  the  Department's  ongoing 
processes  to  correct  errors  and  maintain  accurate  information  appear  to  be 
effective. 


Records  of  prior 
employer  visits 
are  now  available 
to  all  field  staff 


Recording  visits  to  employers — The  Department  expanded  its  directions  for 
field  staff  recording  the  results  of  employer  visits,  including  documentation  of 
compliance  orders  issued  or  other  issues.  The  Department  also  tracks 
compliance  orders  on  a  new  computer  system,  allowing  staff  to  search  for 
compliance  orders  for  specific  employers. 


Department 
evaluates  the 
quality  of 
employer  visits 
and  achievement 
of  program 
objectives 


Evaluation  of  staff— The  Department  improved  its  evaluation  of  the 
effectiveness  of  staff  carrying  out  employer  visits.  In  addition  to  targets  for  the 
number  of  employers  visited  in  a  year,  staff  are  also  evaluated  based  on  the 
number  of  new  apprentices  registered  in  the  region.  The  Department  has  also 
added  questions  to  its  biennial  survey  of  employers  to  evaluate  the  quality  of 
service  and  information  provided  by  staff  during  employer  visits. 
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Criteria 

communicated  to 
field  staff  for 
selecting 

employers  to  visit 


Investments 
managed 
externally  and 
internally 


University  holds 
$170  million  in 
ABCP 


Recorded 
$41  million 
impairment 


Selecting  employers  to  visit— The  Department  provided  guidance  to  staff  on 
selecting  employers/worksites  for  visits.  Staff  are  to  give  priority  to  following 
up  on  employers  where  compliance  issues  have  been  noted  in  the  past,  for 
which  complaints  have  been  received,  employers  identified  who  are  not 
currently  registered  in  the  Department's  employer  database,  and  employers  who 
have  not  been  visited  at  least  once  during  the  past  two  years. 

2.    Entities  that  report  to  the  Minister 
2.1  University  of  Alberta 

2.1.1  Improve  investment  controls 

Recommendation  No.  20 

We  recommend  that  the  University  of  Alberta: 

•  provide  increased  levels  of  detail  on  investments  to  the  Investment 
Committee  to  facilitate  the  monitoring  of  the  University's  investments, 
and 

•  implement  approval  procedures  for  new  investment  vehicles. 
Background 

The  University  Investment  Committee's  (Committee)  terms  of  reference 
mandate  the  periodic  monitoring  and  reviews  that  the  Committee  should 
conduct  over  the  University's  short  and  long-term  investments.  The  Committee 
has  also  developed  and  approved  an  overall  set  of  principles  and  beliefs,  mainly 
centered  on  the  Unitized  Endowment  Pool  (UEP).  These  principles  state  that 
external  investment  managers,  who  have  the  necessary  resources  and  expertise, 
should  manage  the  UEP,  and  that  the  Investment  and  Treasury  Department  may 
manage  a  small  amount  of  residual  cash. 

The  University  holds  investments  of  approximately  $170  million  in  asset- 
backed  commercial  paper  (ABCP).  Because  of  a  weakening  credit  market  since 
August  2007,  the  fair  value  of  ABCP,  both  bank  sponsored  and  non-bank 
sponsored,  have  fallen  dramatically.  Many  non-bank  sponsored  ABCP  is 
expected  to  be  restructured  into  long-term  variable  rate  notes  that  will  be  retired 
as  the  underlying  assets  in  the  conduit  are  liquidated.  Consequently,  the 
University  estimated  and  recorded  an  impairment  provision  in  the  value  of  its 
investments  (for  non-endowed  investments)  totalling  approximately  $41  million 
(24.91%  of  the  total  cost  base  of  its  ABCP). 

Criteria:  the  standards  we  used  for  our  audit 

The  University  should  have  appropriate  governance  processes,  including 
monitoring  and  reporting  investments  at  an  appropriate  level  to  ensure  the  risks 
to  the  University  are  maintained  at  a  reasonably  acceptable  level. 
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Investment 
committee  only 
receives  high- 
level  information 
on  the 

University's 
investments 


Our  audit  findings 

The  Investment  and  Treasury  Department  provides  the  Committee  with  a  report 
that  includes  high  level,  summarized  information  of  components  of  the 
University's  investments  along  with  a  comparison  of  the  overall  return  on  the 
investments  benchmarked  to  industry  standards.  The  report  also  includes 
exceptions  identified  in  the  investment  holdings  from  the  investment  policy. 
However,  the  report  does  not  provide  a  more  detailed  listing  of  the  University's 
investments  to  the  Committee  on  a  periodic  basis.  Without  a  periodic  detailed 
review  of  the  investment  listing,  the  monitoring  of  the  University's  activities 
and  holdings  in  relation  to  its  investment  policy  may  not  be  completed 
effectively.  Without  this  listing,  the  Committee  would  have  no  opportunity  to 
review  and  question  the  amount  of  investment  in  certain  securities,  the 
concentration  in  certain  types  of  investments,  and  whether  new  investments  are 
held,  which  may  have  a  higher  inherent  risk  associated  with  them  than  what 
was  intended  to  be  held  under  the  Investment  Policy. 


Internally 
managed 
investments  grew 
from  $16  million 
to  $310  million 


In  late  2007,  the  Investment  Policy  was  changed  to  clearly  define  what 
investments  should  be  managed  by  external  investment  managers  or  by  the 
Investment  and  Treasury  Department.  We  noted  in  discussions  with  the 
Investment  and  Treasury  Department  that  in  the  past  year,  internal  investment 
managers  manages  more  short  term  funding.  While  investments  managed 
internally  were  in  accordance  with  the  Investment  Policy,  the  amount  may  be 
exceeding  the  levels  contemplated  in  the  Committee's  document  on  its 
principles  and  beliefs,  as  short-term  investments  increased  from  $16  million  by 
March  31,  2007  to  $310  million  by  March  31,  2008. 


No  review  and 
approval  of  new 
investments 
before 

investments  are 
made 


Finally,  the  Director  of  Investments  and  Treasury  does  not  review  and  approve 
new  types  of  investments  or  investments  in  organizations  in  which  the 
University  has  not  previously  invested  at  the  time  the  investment  was 
purchased.  Currently,  a  member  of  the  Investment  and  Treasury  Department 
enters  into  a  transaction  and  another  member  of  the  Department  approves  the 
transaction  informally.  The  Director  completes  a  monthly  review  to  consider  all 
the  investments  held.  We  expect  that  this  review  would  detect  an  investment 
that  may  have  a  higher  potential  inherent  risk  than  may  be  acceptable  to  the 
University.  However,  the  implementation  of  an  initial  approval  would  represent 
a  more  timely  control  and  may  prevent  an  inappropriate  investment  being 
made.  This  may  also  help  the  Investment  and  Treasury  Department  to  identify 
early  changes  in  market  investment  risks  to  allow  periodic  adjustments  to  the 
University's  Investment  Policy  guidelines.  The  reporting  of  these  risks  to  the 
Investment  Committee  would  also  facilitate  improved  risk  management  over 
the  investment  process. 
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University  has 
substantially  dealt 
with  control 
deficiencies  noted 
in  2002-2003 


Implications  and  risks  if  recommendation  not  implemented 

Without  prompt  reviews  and  approvals  at  an  appropriate  level  of  detail,  the 
University  may  assume  risks  outside  of  the  range  deemed  acceptable  by  the 
University's  Board  of  Governors. 

2.1.2    Internal  control  systems  recommendation— implemented 
Background 

In  our  2002-2003  Annual  Report  (No.  34— page  235),  we  recommended  that 
the  University  of  Alberta  improve  its  system  of  internal  control.  Last  year,  we 
commented  that  the  University  still  had  to  fix  the  remaining  gaps  that  focused 
on  internal  controls  specific  to  authorizing  payment  for  invoices,  setting  up 
employees  on  the  payroll  system,  implementing  the  new  capital  asset  module, 
and  finishing  implementing  the  business  resumption  plan  and  disaster  recovery 
plan. 

The  University  implemented  the  recommendation  by  substantially  dealing  with 
the  control  deficiencies  and  improving  the  control  environment  from  when  the 
recommendation  was  first  made.  Also,  faculties  and  centralized  processing 
units  have  completed  financial  control  self-assessment  checklists  to  learn  what 
controls  and  processes  they  have  in  place  and  who  performs  those  controls  and 
processes.  The  University  created  a  new  position  and  hired  a  new  manager  to 
oversee  the  control  self-assessment  processes.  We  will  assess  the  impact  of  the 
assessment  when  we  assess  the  adequacy,  and  test  the  operating  effectiveness, 
of  the  Universities  various  business  processes  and  controls  in  future  audits. 

2.2  University  of  Calgary 

2.2.1  Improving  the  University's  decentralized  control  environment 
Recommendation  No.  21 

We  recommend  that  the  University  of  Calgary  improve  the  effectiveness  of 
its  control  environment  by: 

•  assessing  whether  the  current  mix  of  centralized  and  decentralized 
controls  is  appropriate  to  meet  its  business  needs. 

•  defining  clear  roles,  responsibilities  and  accountabilities  for  control 
systems'  design,  implementation,  and  monitoring. 

•  documenting  its  decentralized  control  environment  and  implementing 
training  programs  to  ensure  those  responsible  for  business  processes 
have  adequate  knowledge  to  perform  their  duties. 

•  monitoring  decentralized  controls  to  ensure  processes  operate 
effectively. 
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Effective  control 
environment 
important  for 
informed  decision 
making 


Corporate 
memory  loss  and 
decentralized 
administration  are 


issues 


Background 

The  control  environment  reflects  management's  philosophy,  attitude  and 
demonstrated  commitment  to  establishing  a  positive  atmosphere  for 
implementing  well-controlled  business  operations.  The  effectiveness  of  the 
control  environment  strongly  influences  the  timeliness  and  accuracy  of 
management  information  to  meet  management's  decision-making 
responsibilities  as  well  as  the  reliability  of  information  presented  to  external 
parties. 

The  University's  2008-2012  Business  Plan  identifies  the  rebuilding  of  financial 
capacity  and  the  loss  of  corporate  memory  as  major  issues.  It  also  recognizes 
that  the  University's  decentralized  administrative  model  compounds  the 
problem  of  adequately  supporting  faculties  and  units  during  a  time  of  high 
employee  turnover  and  a  lack  of  central  resources  to  provide  support. 


Criteria:  the  standards  we  used  for  our  audit 

The  University's  control  environment  should  ensure  that: 

•  business  processes  are  efficient  and  result  in  timely  and  accurate  financial 
and  non-financial  information. 

•  employees  have  adequate  knowledge  and  are  properly  trained  to  perform 
their  duties. 

•  controls  are  well  designed,  understood,  documented,  assessed  for 
adequacy,  and  centrally  monitored  for  effectiveness. 

•  roles  and  responsibilities  are  defined  to  ensure  controls  are  properly 
implemented,  improved,  maintained,  and  monitored. 


Decentralized 
processes  require 
central  oversight 


Our  audit  findings 

Our  review  of  the  University's  decentralized  control  environment  found  that: 

•  roles  and  accountabilities  are  not  adequately  defined. 

•  the  control  environment  is  not  sufficiently  documented  and  training  is 
inadequate  to  ensure  employees  carry  out  their  duties  correctly. 

•  central  monitoring  of  decentralized  controls  is  insufficient  to  ensure 
controls  are  consistently  applied  throughout  the  University  and  business 
processes  are  operating  efficiently. 

Balance  between  centralized  and  decentralized  systems  of  controls — Many 
of  the  University's  key  internal  controls  are  decentralized  among  the  various 
departments  and  faculties.  Given  the  size  and  complexity  of  the  University's 
operations,  it  needs  to  assess  its  current  control  environment  to  decide  on  the 
appropriate  mix  of  decentralized  and  centralized  controls  for  the  efficient 
conduct  of  its  business.  For  the  decentralized  environment  to  operate 
effectively,  the  University  requires  adequate  centralized  oversight  and 
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Current 
environment 
impedes  timely 
and  accurate 
financial 
information 


monitoring  to  ensure  all  its  business  processes  are  properly  followed,  and  that 
information  reported  to  Financial  Services  is  accurate  and  complete. 

University's  decentralized  controls  not  functioning  effectively — The 

existing  decentralized  control  environment  currently  impairs  Financial 
Service's  ability  to  efficiently  produce  timely,  accurate  financial  information 
throughout  the  year  and  financial  statements  at  year-end.  During  the  year, 
Research  and  Trust  Accounting  and  Financial  Services  spent  significant  time 
investigating,  compiling,  and  correcting  financial  reporting  errors  that  could 
have  been  avoided  with  properly  designed  and  implemented  preventative 
controls  at  the  business-unit  level.  The  time  spent  correcting  preventable  errors 
reduced  the  sustainability  of  business  processes,  diverting  resources  from 
regular  duties  to  correct  the  errors.  In  addition,  management  and  researchers  did 
not  have  reliable  financial  information  throughout  the  year  to  manage  accounts 
on  a  daily  basis  because  extensive  corrections  occurred  as  part  of  year-end 
activities. 


Lack  of  central 
monitoring 
prevents  detecting 
errors 


Inadequate 
training  of 
decentralized 
financial 
employees 


Central  Payroll  management  agreed  that  various  controls  over  the 
appropriateness  and  correctness  of  amounts  paid  to  employees  should  be 
implemented  and  monitored.  But  they  felt  it  was  not  their  job  to  do  so.  The 
inadequacy  of  decentralized  controls  throughout  the  organization  and  lack  of 
monitoring  at  central  Payroll  have  consequences  throughout  the  University.  For 
example,  the  Research  and  Trust  Accounting  Department  had  to  develop  time- 
consuming  manual  review  processes  and  direct  additional  resources  to  solve 
problems  stemming  from  incorrectly  coded  payroll  amounts.  We  believe  that 
poorly  designed  preventative  controls  in  the  payroll  information  system  resulted 
in  an  increased  burden  on  Financial  Services  and  Research  and  Trust  staff  to 
correct  financial-statement  errors  by  manual  review.  See  section  2.2.2— 
Improving  payroll  controls. 

Controls  over  general  ledger  transactions  are  spread  throughout  the  University's 
departments  and  faculties.  Decentralized  financial  employees  can  post  journal 
entries  and  set  parameters  for  automated  general  ledger  transactions  without 
necessarily  having  adequate  training  or  understanding  of  the  impact  of  their 
entries  on  the  financial  statements.  See  section  2.2.3 — Improving  controls  over 
journal  entries. 


Implications  and  risks  if  recommendation  not  implemented 

Without  an  adequate  control  environment,  the  University  may: 

•  experience  inefficient  and  unsustainable  business  processes  that  may  result 
in  fraud  and  error,  and  increased  costs. 

•  make  business  decisions  on  incomplete  or  inaccurate  financial  and 
non-financial  information. 
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2.2.2  Improving  payroll  controls — recommendation  repeated 

Recommendation  ( 

We  again  recommend  that  the  University  of  Calgary  improve  controls  over 

payroll  functions.  i 

0 

Background  ( 

Management  Last  year,  the  University  implemented  the  payroll  and  human  resource  module 

agreed  to  improve  .  PeopleSoft.  We  recommended  in  our  2006-2007 Annual  Report  (vol  2,  page  ' 
payroll  controls                       r                                                                               r      v           r  ° 

12)  that  the  University  improve  controls  over  payroll  as  terminated  employees  1 

were  overpaid  and  staff  had  access  to  incompatible  functions.  Management  i 

agreed  with  the  recommendation  and  planned  to  improve  controls  and  , 

processes  in  the  payroll  area  by  the  end  of  the  2008  fiscal  year.  ( 

We  now  repeat  the  recommendation  because  the  University  did  not  sufficiently  ^ 

mitigate  the  risks  of  incorrect  payroll  this  past  year.  ! 

I 

Criteria:  the  standards  we  used  for  our  audit  ( 

The  University  should  have  adequate  controls  to  ensure  that  it  approves  and  ( 
properly  monitors  new  employees,  terminations,  and  job-change  information.  In 

addition,  salary  and  benefits  paid  to  employees  should  be  supported  by  * 

appropriate  documentation.  < 

Our  audit  findings  < 

University  made  Although  management  has  implemented  review  processes  for  payroll 

progress  exception-reporting  and  developed  new  termination  processes,  it  has  not 

sufficiently  improved  controls  over  new  employees  and  system  access.  We  also  * 

found  additional  control  weaknesses  with  significant  implications  for  other  1 

University  departments,  and  for  the  financial  statements.  Section  2.2.1  < 

describes  how  the  decentralized  nature  of  payroll  controls  contributes  to  y 
institution-wide,  decentralized  control  weaknesses,  inefficient  and 
unsustainable  business  processes,  and  financial-reporting  errors. 

i 

We  identified  the  following  areas  that  still  need  improvement:  I 

a.    Improve  job-change  controls  4 

Errors  in  frequent  Control  weaknesses  in  salary  coding  attributable  to  job  changes  when  4 
cosullVcatons^          researchers  start,  complete,  join,  or  work  on  multiple  projects  with  varying  start 

and  end  dates,  are  a  significant  risk  to  the  accuracy  and  reliability  of  the 

University's  financial  statements.  The  Research  and  Trust  Accounting  ' 

Department  investigated  over-expended  research  projects  and  identified  ^ 

$6.4  million  in  correcting  entries.  We  found  the  majority  of  the  entries  stemmed  4 

from  salary  amounts  processed  by  Payroll  to  the  wrong  research  projects.  4 

4 

  4 
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Termination 
controls  not 
monitored 


b.    Improve  termination  controls 

While  Central  Payroll  has  developed  new  termination  processes  to  end  salaries, 
collect  access  cards  and  secure  IDs,  and  promptly  remove  system  access,  it 
believes  it  is  not  responsible  to  monitor  if  faculties  and  departments  implement 
and  continue  to  use  the  new  termination  procedures.  The  University  has  not 
properly  defined  the  Central  Payroll's  accountabilities  and  its  role  as  monitor  of 
the  decentralized  payroll  controls. 


Information 
entered  not 
reviewed  and 
approved 


c.    Improve  new-employee  controls 

For  new  salaried  employees,  the  form  used  to  enter  new  hire  information  into 
the  payroll  module  is  not  adequately  restricted  to  hiring  managers, 
faculty/department  supervisors  and  authorized  Human  Resources  staff.  And 
there  was  no  documentation  to  show  that  Faculty  and  Department  supervisors 
had  reviewed  and  appropriately  approved  the  new-hire  forms.  In  addition, 
Human  Resources  staff  do  not  verify  the  information  entered  into  the  Payroll 
module,  nor  do  they  match  it  with  approved  supporting  documentation,  such  as 
an  offer  letter. 


Excessive  access 
to  payroll  system 


For  new  hourly  employees,  291  people  have  access  to  create  hourly  employees 
in  the  Payroll  module  and  enter  timesheet  information.  These  two  functions  are 
not  subject  to  independent  supervisor  review  and  approvals. 


Inadequate 
support  for  payroll 
payments 


d.    Improve  documentation  controls 

Of  99  sampled  payroll  payments  during  the  first  three  quarters  of  the  2008 
fiscal  year,  the  University  could  not  provide  adequate  support  for  26  payments 
to  hourly,  monthly  and  semi-monthly  paid  employees.  For  the  amounts  the 
University  could  support,  we  found  no  errors;  however,  we  could  not  complete 
our  testing  because  the  University  did  not  keep  documentation  for  the 
remaining  26  payments. 


Overpayments  and 
errors  can  occur 


Implications  and  risks  if  recommendation  not  implemented 

Without  an  adequate  control  environment  over  payroll  processes,  there  is 
increased  risk  for  incorrect  payroll  payments,  misappropriation  of  assets,  and 
misstatements  in  financial  statements. 


2.2.3  Improving  controls  over  journal  entries 
Recommendation 

We  recommend  that  the  University  of  Calgary  improve  controls  over  the 
approvals  and  documentation  for  journal  entries. 
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Background 

Journal  entries  are  processed  at  Financial  Services,  faculties,  departments  and 
business  units.  In  our  2006-2007  Annual  Report,  Volume  2 — page  17,  we 
reported  on  management's  special  investigation  of  journal  entries  processed  by 
an  employee  at  Campus  Infrastructure  which  were  found  to  be  inappropriate. 

Criteria:  the  standards  we  used  for  our  audit 

The  University  should  have  adequate  controls  to  ensure  journal-entry 
transactions  are  correct,  reviewed,  and  substantiated  by  sufficient  supporting 
documentation. 


Decentralized 
control  problems 
persist 


Our  audit  findings 

By  the  end  of  March  2008,  the  University  had  not  finished  its  policy  defining 
roles  and  responsibilities  for  creating  and  approving  journal  entries  or  the 
documentation  required  to  support  journal  entries.  Section  2.2.1  highlights  the 
decentralized  nature  of  general  ledger  controls  as  contributing  to  institution- 
wide,  decentralized  control  weaknesses,  inefficient  and  unsustainable  business 
processes,  and  financial-reporting  errors. 


We  identified 
$2.6  million  in 
errors 


Significant  journal-entry  errors  occurred  this  year.  Decentralized  staff — with 
insufficient  financial-statement  knowledge — have  general-ledger  access  to 
approve  journal  entries.  We  sampled  general  ledger  transactions  and  found  5 
financial  statements  errors  totalling  $2.6  million  originating  from  journal 
entries.  These  errors  originally  resulted  in  a  $600,000  overstatement  of  net 
income.  The  approvers  of  these  journal  entries  were  unaware  the  entries  created 
financial-statement  errors. 


Management 
identified  further 
$6.9  million  in 
errors 


When  management  learned  of  these  errors,  it  investigated  the  cumulative  effect 
of  similar  erroneous  journal  entries.  It  found  and  corrected  prior-year  errors 
totalling  $6.9  million.  We  reviewed  the  results  of  management's  investigation 
and  concluded  that  it  was  appropriate. 


The  University's  Management  Processes  and  Controls  unit  completed  a  review 
of  journal-entry  processes  at  Financial  Services.  We  agree  with  the  Unit's 
recommendations  to  improve  journal-entry  processes. 


Impiications  and  risks  if  recommendation  not  implemented 

Without  adequate  controls  over  journal  entries,  inappropriate,  erroneous,  and 
fraudulent  entries  could  be  processed  and  cause  misstatements  in  financial 
statements. 
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2.2.4  PeopleSoft  security — recommendation  repeated 
We  made  this  recommendation  in  our  2005-2006  Annual  Report,  Volume  2— 
page  24,  and  repeated  it  in  our  2006-2007  Annual  Report,  Volume  2 — page  13. 
For  the  second  time,  we  have  repeated  this  recommendation  because  the 
University  still  did  not  take  sufficient  action  to  mitigate  PeopleSoft  security 
risks  this  past  year. 

Recommendation  No.  22 

We  again  recommend  that  the  University  of  Calgary  improve  controls  in 
the  PeopleSoft  system  by: 

•  finalizing  and  implementing  the  security  policy  and  the  security  design 
document,  and 

•  ensuring  that  user  access  privileges  are  consistent  with  both  the  user's 
business  requirements  and  the  security  policy. 

Background 

In  April  2004,  the  University  started  a  three-year  project  to  move  several 
critical  business  and  financial  processes  to  PeopleSoft,  an  ERP  (see  glossary). 
In  2005,  the  general  ledger  and  materials  management  modules  moved  into 
PeopleSoft,  and  the  University  started  writing  a  security  design  document  to 
outline  the  process  and  define  the  rules  for  granting  users'  access  to  PeopleSoft. 
In  2006,  the  payroll  and  human  resources  modules  were  moved  into  PeopleSoft, 
followed  by  the  student  administration  module  in  2007. 

Criteria:  the  standards  we  used  for  our  audit 

The  University  should  reduce  the  risk  of  unauthorized  or  inappropriate  access 
to  its  programs  and  data  by: 

•  implementing  a  comprehensive  security  policy  and  maintaining  an  up-to- 
date  security  design  framework  for  the  PeopleSoft  control  environment. 

•  controlling  access  to  programs  and  data  by  defining  and  enforcing 
procedures  to  identify,  authenticate  and  authorize  the  use  of  the 
University's  systems. 

•  establishing  procedures  to  ensure  that  only  authorized  changes  are  made  to 
user  accounts  (additions,  deletions,  changes)  and  that  they  are  made 
promptly. 

•  implementing  an  effective  control  process  to  periodically  review  the 
appropriateness  of  user  access  rights. 

Our  audit  findings 

What  the  Information  Technology  management  made  progress  in  fixing  the  issues  that 

University  did  ^  tQ  Qur  jn^aj  recommendation.  However,  the  fixes  have  not  adequately 

mitigated  security  risks.  We  repeated  the  recommendation  because  it  is  taking 
the  University  excessive  time  to  implement  adequate  security  controls  as  the 
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PeopleSoft  system  handles  critical  business  processes  and  hosts  confidential 

student,  financial,  and  personal  data.  The  University  made  the  following  1 

improvements:  1 

•  the  University  developed  and  implemented  a  University-wide  IT  security  i 
policy.  The  PeopleSoft  application  and  its  users  are  expected  to  follow  this.  , 

•  the  Information  Technology  department  implemented  a  process,  in 
conjunction  with  Human  Resources,  to  run  a  daily  query  to  identify 

terminated  employees.  The  results  trigger  a  manual  process  to  remove  1 
terminated  employees'  access.  1 

•  since  the  completion  of  our  audit  in  March  2008,  the  University  has  also 
removed  the  ability  to  change  historical  actions  in  PeopleSoft  from  the 
majority  of  users. 

What  remains  Below  are  the  main  improvements  the  University  must  still  make  to  implement 

the  recommendation.  The  University  must: 

•  implement  a  process  to  regularly  assess,  identify,  and  remediate  security 
vulnerabilities  in  the  PeopleSoft  system. 

•  develop  and  communicate  security  responsibilities  for  PeopleSoft  users  and 
administrators. 

•  develop  and  implement  security  design  documents  for  all  modules  in 
PeopleSoft,  and  then  ensure  they  are  consistently  followed. 

•  develop  and  implement  procedures  to  restrict  user  and  privileged  access 
(administrators,  developers,  and  database  administrators)  within  the  system 
whenever  possible. 

•  in  conjunction  with  all  business  units,  develop  and  implement  a  security 
matrix  and  control  process  to  regularly  review  and  validate  all  PeopleSoft 


end  user  and  privileged  access.  ' 

•  implement  a  monitoring  and  review  control  process  of  actions  or  changes  i 
made  in  PeopleSoft  with  privileged  user  or  administrative  accounts.  , 

•  in  conjunction  with  Human  Resources,  implement  an  effective  employment  ( 
transfer/job  change  control  process  to  ensure  that  employees  only  have  the 
PeopleSoft  access  needed  for  their  current  job  requirements.  ' 

0 

Implications  and  risks  if  recommendation  not  implemented  i 

Weak  access  controls  to,  and  within,  PeopleSoft  may  result  in  unauthorized  , 
access  to  confidential  data,  entry  of  an  unauthorized  transaction,  and  the 


accidental  or  deliberate  destruction  or  alteration  of  data.  Poor  controls  may  also 

lead  to  the  unauthorized  release  of  confidential  student  or  financial  information.  1 

Therefore,  the  University  may  not  be  able  to  rely  on  the  completeness,  1 

accuracy,  or  validity  of  the  data  produced  by  PeopleSoft.  i 

  0 
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Investments 
managed 
externally  and 
internally 


University  holds 
$67.5  million  in 
ABCP 

Recorded 
$16.8  million 
impairment 


Committee 

reviews 

investments 


2.2.5  Improving  controls  over  investments 
Recommendation 

We  recommend  that  the  University  of  Calgary  improve  controls  over  the 
approvals  of  transactions  for  its  internally  managed  investments. 

Background 

The  University's  Treasury  and  Investments  unit  is  responsible  for  its  banking 
function  and  also  invests  the  University's  cash  in  short-term  money  market 
investments.  The  majority  of  the  University's  investments  are  managed  by 
external  investment  managers.  Depending  on  the  University's  operating  cycle, 
the  Treasury  and  Investments  unit  can  invest  as  much  as  $1 10  million  of  the 
University's  working  capital  in  short-term  money  market  investments.  The 
University's  investment  committee  sets  parameters  for  management  of 
internally  managed  net  assets  in  short-term  funds.  We  reviewed  the  control 
system  for  money  market  investments  transacted  by  the  Treasury  and 
Investments  unit. 

At  March  31,  2008,  the  University  held  approximately  $67.5  million  in  asset 
backed  commercial  paper  (ABCP).  Because  of  a  weakening  credit  market  since 
August  2007,  the  fair  value  of  ABCP,  both  bank  sponsored  and  non-bank 
sponsored  have  fallen  dramatically.  Many  non-bank  sponsored  ABCP  is 
expected  to  be  restructured  into  long-term  variable  rate  notes  that  will  be  retired 
as  the  underlying  assets  in  the  conduit  are  liquidated.  Consequently,  the 
University  estimated  and  recorded  an  impairment  provision  in  the  value  of  its 
investments  (for  non-endowed  investments)  totalling  approximately 
$16.8  million  (24.89%  of  the  total  cost  base  of  its  ABCP). 

Criteria:  the  standards  we  used  for  our  audit 

The  University  should  have  appropriate  controls  for  the  documented  monitoring 
and  approval  of  its  internally  managed  investments. 

Our  audit  findings 

The  Board  Investment  Committee  reviews  a  detailed  listing  of  short-term 
working  capital  investments  and  ensures  these  investments  conform  to  the 
University  of  Calgary's  Investment  Policy.  Through  this  process,  the 
Investment  Committee  was  aware  of  the  trusts  the  University  had  invested  in 
which  subsequent  to  year  end  had  impairment  provisions  booked  against  it 
because  they  were  non-bank  sponsored  ABCP.  At  the  time  ABCP  investments 
were  purchased,  the  Treasury  and  Investments  unit  complied  with  the 
Investment  Committee  policy  because  these  investments  were  then  rated  Rl  by 
the  Dominion  Bonding  Rating  Services. 
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The  Treasury  and  Investments  Senior  Banking  Officer  researches  the  quality  of 
investment  instruments  available  for  purchase,  prepares  the  documentation  and 
completes  the  purchase  transaction  for  the  acquisition  of  money  market 
investments.  While  the  Treasury  and  Investments  unit  informally  monitors 
these  transactions,  evidence  supporting  the  timely  monitoring  and  approval  of 
these  transactions  was  not  documented  or  available.  Good  controls  over 
investments  should  be  evidenced  by  documentation  to  show  that  the  Treasury 
and  Investments  unit  had  promptly  reviewed  and  approved  investment 
transactions.  This  formal  process  would  provide  senior  management  assurance 
that  investment  transactions  are  independently  reviewed,  promptly  approved 
and  comply  with  the  investment  policy. 

Implications  and  risks  if  recommendation  not  implemented 

Without  good  processes  to  monitor,  approve,  review  investment  transactions 
and  document  controls,  the  University  may  not  detect  inappropriate  investment 
transactions. 

2.2.6  Complying  with  legislation 
Recommendation 

We  recommend  that  the  University  of  Calgary  comply  with  the  Post- 
Secondary  Learning  Act  hy  seeking  approval  of  the  Lieutenant  Governor  in 
Council  before  engaging  in  housing-loan-guarantee  transactions. 

Background 

In  early  2007,  the  University  began  offering  housing-loan  guarantees  to  attract 
faculty  and  senior  administrative  staff  to  the  University,  with  some  agreements 
allowing  for  interest  and  principal  forgiveness.  Housing-loan  guarantees  offered 
ranged  up  to  $1  million  plus  interest  benefits.  At  March  31,  2008,  the  largest 
guarantee  provided  for  an  employee  was  $500,000  with  a  total  of  $3.9  million 
in  housing-loan  guarantees  provided  by  the  University. 

Criteria:  the  standards  we  used  for  our  audit 

The  University  should  have  an  effective  process  to  comply  with  the  Post- 
Secondary  Learning  Act. 

Our  audit  findings 

The  University  issued  housing  loan  guarantees  without  prior  approval  from  the 
Lieutenant  Governor  in  Council.  This  violates  section  74(2)  of  the  Post- 
Secondary  Learning  Act,  which  states  a  Board  may  not  guarantee  the 
obligations  of  another  person  without  the  prior  approval  of  the  Lieutenant 
Governor  in  Council.  In  January  2008,  senior  management  wrote  to  the  Deputy 
Minister  of  Advanced  Education  and  Technology  and  advised  that  the  Board 
had  updated  its  policy  to  increase  limits  of  loans  the  University  could 


Formal  review  and 
approval  of 
individual 
transactions 
needed 


University  offered 
housing  loan 
guarantees 
totalling 
$3.9  million 


Lieutenant 
Governor  in 
Council  did  not 
approve 
guarantees, 
contrary  to  law 
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guarantee.  In  response,  the  Deputy  Minister  recommended  the  University 
discuss  the  matter  with  the  Minister  of  Advanced  Education  and  Technology 
and  take  steps  to  comply  with  legislation.  In  April  2008.  senior  management 
wrote  to  the  Minister  to  seek  this  approval.  As  of  June  16.  2008,  the  University 
had  not  obtained  the  appropriate  approvals  to  provide  these  guarantees. 

Implications  and  risks  if  recommendation  not  implemented 

Without  an  effective  process  to  ensure  compliance  with  the  Post-Secondary 
Learning  Act  the  University  may  breach  the  law  and  face  criticism  by 
regulators. 

2.2.7    Campus  security  services— Implemented 
Recommendation  \n  0Ur  2005-2006  Annual  Report  (Vol.  2— page  26) ,  we  recommended  that  the 

implemented  University  of  Calgary  Campus  Security  improve  processes  to: 

•  track  open  investigative  files  by  key  duties  and  responsibilities. 

•  record  detailed  evidence  on  investigative  files,  particularly  in  cases  of 
arrest  or  detention. 

The  University  of  Calgary  implemented  our  recommendation  by: 

•  modifying  their  computer  system  that  allows  them  to  better  monitor  the 
incident  reports  requiring  follow-up  and  for  ensuring  the  follow-up  work  is 
completed. 

•  maintaining  a  comprehensive  log  file  that  allows  management  to  monitor 
the  number  of  persons  detained  or  arrested,  the  reasons  for  the  detention, 
the  length  of  time  a  person  was  in  CSS's  custody,  and  the  response  time  of 
Calgary  Police  Services. 

2.3  University  of  Lethbridge 

2.3.1  Improving  the  University's  financial  processes 
Recommendation 

We  recommend  that  the  University  of  Lethbridge  improve  its  year  end 
processes  to  ensure  the  preparation  of  complete  and  accurate  financial 
statements. 

Background 

The  University  is  a  large  and  complex  operation  with  involvement  in  a  wide 
range  of  areas  that  contain  complex  agreements  and  regulatory  requirements. 

Criteria:  the  standards  we  used  for  our  audit 

The  University  should  have  effective  processes  to  produce  timely  and  accurate 
financial  statements.  This  includes  sufficient  staff  resources,  technical  skills 
relating  to  generally  accepted  accounting  principles  for  not-for-profit 
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organizations,  and  automated  processes  to  enable  an  efficient  completion  of  the 
year-end  process. 


Financial 
statements  late 
and  required 
significant 
changes 


Our  audit  findings 

We  identified  many  adjustments  that  the  financial  statements  needed  after  the 
audit  started.  We  received  the  first  draft  financial  statements  on  May  4,  2008, 
but  did  not  receive  the  final  financial  statements  for  the  year  ended 
March  31,  2008  until  June  18,  2008.  In  addition,  the  University's  processes  did 
not  allow  Financial  Services  to  promptly  identify  and  review  the  accounting 
treatment  of  certain  complex  issues.  For  example,  in  October  2007  the 
University  entered  into  three  separate,  but  related  contracts  for  one  building: 

•  the  first  contract  was  to  lease  the  building  for  five  years. 

•  the  second  contract  was  to  receive  the  building  as  a  donation  from  the 
lessor  over  the  five-year  lease. 

•  the  third  contract  was  to  receive  the  building  as  a  donation  at  the  end  of  the 
lease. 


Financial  Services  did  not  find  out  about  these  contracts  until  the  year-end 
processes  and  then  did  not  properly  analyse  their  impact  on  the  financial 
statements;  they  required  several  adjustments  to  the  financial  statements. 


Inaccurate 

financial 

information 


Implications  and  risks  if  recommendation  not  implemented 

Interim  reporting  may  be  inaccurate  due  to  inappropriate  accounting  for 
complex  transactions.  This  may  result  in  significant  variances  between  interim 
reports  and  the  audited  financial  statements. 


Assessed 
financial-control 
systems  to  manage 
research 


Complex  research 
environment 


2.3.2  University  of  Lethbridge  financial  controls  for  managing  research 
2.3.2.1  Summary 

At  the  request  of  management  of  the  University  of  Lethbridge,  we  examined  the 
University's  financial-control  systems  for  managing  research  to  assess  if  they 
are  adequate,  designed  well,  and  operating  effectively.  The  review  focused  on 
financial-control  systems — not  all  aspects  of  the  University's  research- 
management  systems. 

The  University  has  various  policies,  procedures  and  controls  systems  to 
administer  routine  research.  Routine  research  comprises  projects  funded  from 
traditional  sources,  such  as  grants  from  the  federal  government's  research 
agencies.  Over  time,  research  management  at  the  University  has  become 
increasingly  complex.  Grants  involving  networks  of  researchers,  institutional 
grants,  and  funds  transferred  from  other  Universities  are  examples  of  complex 
arrangements  for  non-routine  research  projects  funded  by  non-traditional 
sources.  To  assess  the  financial  management  of  research  funds,  we  had  to 
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Good  controls  for 
routine  research 

Inadequate 
controls  for  non- 
routine 
research  three 
recommendations 


understand  the  financial  roles  and  responsibilities  of  Research  Services, 
Financial  Services,  the  Deans  and  University  administration. 

We  found  that  the  University's  financial-control  systems  effectively  manage 
routine  research.  Once  a  routine  grant  has  been  properly  set  up,  there  are  good 
controls  over  approving  research  expenses  and  to  prevent  overspending. 
However,  these  systems  are  inadequate  to  administer  complex  grants  and  non- 
routine  research  projects.  We  made  three  recommendations  for  the  University  to 
significantly  improve  the  financial  control  systems: 

1.  clearly  define  and  communicate  the  financial  research-management  roles 
and  responsibilities  of  Research  Services,  Financial  Services  and  the 
Deans. 

2.  ensure  all  financial  research  policies  are  current  and  comprehensive: 
maintain  proper  documentation  for  approving  research  accounts;  ensure 
researchers,  research  administrators,  and  Financial  Services  staff  know  of 
changes  to  policies  and  are  properly  trained  to  comply  with  them. 

3.  ensure  management  periodically  reports  to  the  Board  of  Governors  key 
information  on  financial  risks  in  research  management. 


Why  the 

recommendations 
matter 


Without  well-designed  financial  controls  and  processes  to  enforce  compliance, 
the  University's  research  initiatives  may  not  achieve  their  goals  cost-effectively. 
Weaknesses  in  the  research-control  environment  may  cause  funding  agencies  to 
reduce  or  stop  funding  for  University  research. 


2.3.2.2  Clearly  defined  financial  research  roles  and  responsibilities 
Recommendation 

We  recommend  that  the  University  of  Lethbridge  clearly  define  and 
communicate  the  financial  research-management  roles  and  responsibilities 
of  Research  Services,  Financial  Services,  and  Deans. 


Administrative 
support  given  by 
Research  Services 


Financial  Services 
monitors 


Background 

Research  Services  and  faculty  research  offices  give  administrative  support  to 
researchers.  Research  Services  advises  and  offers  support  on  funding 
applications  and  proposals  when  researchers  make  requests  within  a  reasonable 
time  before  the  due  date  of  an  application.  These  timelines  are  available  on  the 
Research  Services  website.  Research  Services  also  reviews  contracts  to  confirm 
that  they  meet  University  policies. 

Financial  Services  sets  up  research  accounts  after  receiving  the  documentation 
and  approvals  from  Research  Services.  It  monitors  them  after  awards  are  made, 
and  applies  operating  procedures  to  ensure  compliance  with  requirements  of 
research  sponsors. 
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Criteria:  the  standards  we  used  for  our  audit 

The  University  and  faculties  should  have  clearly  defined  financial  roles, 
responsibilities  and  accountabilities  for  making  research  policy,  approving  and 
monitoring  research,  administering  research  funds,  and  supporting  researchers. 
The  responsibilities  and  accountabilities  should  be  clearly  communicated  to  all 
staff  administering  research. 


Criteria  partly  met 


Our  audit  findings 

The  University  partly  met  the  criteria.  Although  its  general  research  policy 
explains  roles,  it  has  not  clearly  defined  the  financial  roles,  responsibilities,  or 
accountabilities  of  key  contributors  to  research  management.  The 
responsibilities  and  accountabilities  of  faculties,  Deans,  Financial  Services  and 
Research  Services  are  unclear. 


Unclear  roles  in 
research  policies 


Role, 

responsibilities, 
accountabilities 
not  well-defined 
or  -understood 


Unclear  definition  of  roles  and  responsibilities  in  research  policies — a 

general  research  policy  explains  the  roles  of  the  faculty,  research  associates  and 
assistants,  visiting  scholars,  administration,  controller's  office  and  research 
support.  But  the  policy  as  noted  further  in  section  2.3.2.3  below  has  gaps  and  is 
outdated:  it  was  last  updated  in  1992.  For  example,  the  policy  states  that  the 
Vice  President  Academic — not  the  Vice  President  Research — is  responsible  for 
the  administration  and  coordination  of  research;  the  role  and  responsibilities  of 
the  Vice  President  Research  are  not  defined.  Neither  is  role  of  the  Dean,  who  in 
practice  is  the  officer  overseeing  research.  A  research  manual  outlines  many 
research  policies  and  procedures.  Specific  policies  exist  to  cover  travel,  over- 
expenditures,  equipment  quotes  and  approval  of  expenses.  But  policies  don't 
identify  who  should  administer  them. 

Lack  of  clarity  of  roles,  responsibilities  and  accountabilities — a  significant 
lack  of  well-defined  financial  roles  and  responsibilities  pervades  all  areas  of 
research,  including  Research  Services,  Financial  Services,  and  faculties. 
Conflicts  have  arisen  between  Financial  Services,  researchers,  and  Research 
Services. 


External  review 

confirmed 

problems 


The  University's  Office  of  Research  Services  commissioned  an  external  review 
of  its  operations.  The  resulting  December  2007  report  confirmed  a  lack  of 
clarity  in  the  roles,  responsibilities  and  reporting  relationships  in  Research 
Services.  The  review  also  concluded  that  Research  Services  performs  a 
facilitative  role,  while  Financial  Services  has  a  more  control-orientated 
function.  When  they  jointly  administer  research,  miscommunication  and 
conflict  can  occur. 


Financial  Services 

monitors 

compliance 


The  University's  general  research  policy  defines  the  approval  processes  for 
each  type  of  research  proposal  administered  by  Research  Services.  Monitoring 
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But  conflicts 
occur  because 
Financial  Services 
lacks  authority  to 
monitor 


compliance  with  University  policies  lies  mainly  with  Financial  Services.  The 
job  description  of  the  research  accountant  in  Financial  Services  confirms  this. 
But  roles  and  responsibilities  are  not  well  communicated.  Neither  researchers 
nor  Research  Services  properly  understand  the  role  of  the  research  accountant 
employed  by  Financial  Services. 

None  of  the  University's  policies,  including  its  general  research  policy,  specify 
that  Financial  Services  is  responsible  for  monitoring  research  accounts  or  give 
it  authority  to  enforce  compliance  with  research  policies.  The  Deans' 
involvement  in  monitoring  research  is  limited  to  approving  expense  claims 
from  researchers  in  their  department.  The  Vice  President  Research  is  not 
actively  involved  in  monitoring  research  financial  controls  but  may  help  resolve 
disputes  between  Financial  Services  and  a  researcher  or  Dean.  Financial 
Services  staff  report  tensions  and  conflicts  with  researchers  when  they  try  to 
enforce  controls  on  researchers'  projects. 


Implications  and  risks  if  recommendation  not  implemented 

Without  a  clear  definition  and  communication  of  roles,  responsibilities  and 
accountabilities  of  the  key  contributors  to  research  activities,  conflicts  may 
arise  and  research  controls  may  fail.  And  research  funding  agencies  may  reduce 
or  stop  funding  University  research  projects. 

2.3.2.3  Clear  and  complete  research  policies 
Recommendation 

We  recommend  that  the  University  of  Lethbridge  improve  systems  to 
ensure  that: 

•  financial  research  policies  are  current  and  comprehensive. 

•  proper  documentation  is  maintained  for  approving  research  accounts. 

•  researchers,  research  administrators  and  Financial  Services  staff  are 
aware  of  changes  to  financial  policies  and  are  properly  trained  to 
comply  with  the  policies. 


Policies  and 
processes  in  place 


Background 

The  University  has  policies  and  processes  for  approving  research  proposals, 
managing  projects,  approving  overspending  in  research  accounts,  and  recording 
and  reporting  research  financial  information  to  funding  agencies  and 
management. 

Research  Services  administers  some  aspects  of  policies,  secures  proper 
documentation  and  seeks  approval  before  opening  a  research  account.  For 
externally  funded  research  proposals  prepared  primarily  by  researchers,  the 
policy  requires  proposals  to  be  approved  by  the  Dean,  Department  Chair  and 
the  Vice  President  Research. 


Report  of  the  Auditor  General  of  Alberta— October  2008 


227 


Financial  statement  and  other  assurance  audits 


Advanced  Education  and  Technology 


Policy  for  over- 
expenditures 


The  University  has  a  policy  to  administer  research  accounts  where  research 
expenses  are  projected  to  exceed  funding.  The  policy  has  reasonable  limits  for 
over-expenditures  (20%  of  next  year's  grant  instalment  to  a  maximum  of 
$20,000)  and  also  allows  for  special  circumstances  where  more  funds  are 
required.  Both  the  Dean  and  the  Vice  President  Research  must  approve  the 
over-expenditure.  Financial  Services  will  not  let  individual  funds  be  overspent 
without  proper  approval. 


Criteria:  the  standards  we  used  for  our  audit 

The  University  should  ensure  that: 

•  research  policies  provide  clear  and  comprehensive  guidance  to  faculties 

and  researchers. 

•  adequately  designed  systems  exist  for  approving  research  accounts  and 
enforcing  compliance  with  policies  and  requirements  of  research  funding 

agencies. 

•  all  researchers,  research  administrators  and  Financial  Services  staff  are 
aware  of  and  can  access  all  relevant  policies,  and  are  properly  trained  to 
comply  with  policies. 


Criteria  partly  met 


Our  audit  findings 

The  University  partly  met  the  criteria.  Sampled  research  expenses  were 
properly  authorized  and  eligible  for  funding  under  grant  agreements.  Research 
policies  exist  to  cover  approval  of  expenses  and  proposals,  overspending  on 
research  accounts,  and  recovery  of  overhead  costs,  but  many  need  to  be  updated 
and  improved.  We  found  deviations  from  the  current  policies.  Research 
Services  said  that  current  policies  don't  apply  to  the  deviations  because  they 
were  non-routine  research.  Current  research  policies  do  not  define  non-routine 
research  or  explain  how  the  University  should  administer  these  research 
accounts.  Scheduled  internal  training  for  researchers,  research  administrators 
and  Financial  Services  staff  was  not  maintained. 


Some  policies 
incomplete, 
outdated  and 
widely  interpreted 


Vague,  outdated  and  incomplete  policies — policies  exist  for  segregation  of 
duties  within  the  purchasing  and  receiving  departments  and  for  the  approval  of 
expenses.  Financial  Services  monitored  research  expenses  to  confirm  they  were 
properly  authorized  by  a  person  at  a  higher  level  than  the  person  who  requested 
the  reimbursement.  However,  some  policies  are  vague  and  have  lead  to 
inconsistencies  when  applied.  For  example,  the  University's  overhead  policy 
sets  a  rate  for  recovering  overhead  costs  from  projects.  The  policy  also  gives 
the  Vice  President  Research  the  discretion  to  lower  the  overhead  charge  to  zero. 
The  overhead  charged  to  research  projects  ranges  from  0  to  40%.  As  a  result, 
the  University  may  not  adequately  recover  overhead  costs  and  may  fall  short  of 
recoveries  it  had  planned  on.  The  overhead  policy  does  not  explain  when 
recovery  of  overhead  costs  may  be  waived. 
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No  regular  review 
of  policies 


Non-routine 
projects  hard  to 
administer 


Examples  of 
deviations  from 
policies 


Some  policies  are  not  current.  The  University's  general  research  policy  was  last 
updated  in  1992.  The  University  recently  started  updating  its  overhead  policy, 
but  it  does  not  review  all  policies  regularly.  It  has  not  finished  implementing  a 
policy  for  administering  internal  research  funds.  The  existing  general  research 
policy  has  gaps — it  does  not  define  what  non-routine  research  is  or  how  the 
University  should  administer  these  research  funds. 

Systems  for  approving  projects — the  University  designed  policies  and 
procedures  for  routine  research  grants.  Staff  administering  research  had 
difficulty  applying  them  to  non-routine  projects  and  contracts.  The  exceptions 
we  found  were  for  non-routine  projects,  especially  for  grants  and  contracts 
where  approval  processes  deviated  from  current  policy.  The  University  needs  to 
update  policies  and  procedures,  in  particular  for  managing  non-routine  projects. 

The  following  examples  (confirmed  by  management  as  non-routine  research 
transactions)  illustrate  deviations  from  current  policies.  They  also  confirm  that 
the  University  did  not  maintain  adequate  documentation  to  show  proper 
approvals  and  monitoring. 

•  Of  12  externally  funded  projects  tested,  9  had  no  research  grant  proposal 
approvals  documented.  The  current  policy  states  that  all  research  proposals 
require  approvals  of  the  Dean,  Department  Chair  and  Vice  President 
Research.  In  another  sample  for  a  $1.5-million  externally  funded 
institutional  research-capacity  grant,  the  University's  grant  proposal  was 
signed  by  only  its  President.  Nothing  on  file  explained  why  the 
University's  approval  process — requiring  the  Dean,  Department  Chair  and 
Vice  President  Research  to  approve  the  proposal — was  not  followed. 
Management  later  told  us  that  the  funding  agency  specifically  required  the 
approval  of  the  President  and  gave  us  documentation  confirming  this. 

•  For  three  internally  funded  projects,  no  evidence  showed  that  they  met  the 
University  policy  requiring  the  Research  Committee,  Vice  President 
Academic  and  the  President  to  approve  them. 

•  In  10  of  20  funds  sampled,  the  policy  for  opening  either  an  internally  or 
externally  funded  research  account  was  not  followed.  For  example,  the 
documentation  for  authorizing  to  open  an  account,  and  proof  of  committee 
approval  on  research  and  animal  subjects  was  missing.  In  addition,  the  lack 
of  an  approved  grant  proposal  on  file  was  the  most  frequent  policy 
violation. 

•  In  a  sample  of  overspent  research  accounts,  two  requests  for  overspending 
did  not  have  the  approvals  the  policy  required.  One  did  not  have  the 
signatures  of  the  Dean  and  Department  Chair.  The  other  did  not  have  the 
signature  of  the  Department  Chair. 
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Exceptions  for 

non-routine 

research 


The  Vice  President  Research  confirmed  that  these  exceptions  were  for  non- 
routine  research  projects  (mainly  institutional  and  internal  grants)  and  therefore 
not  subject  to  the  current  policies.  However,  no  documentation  was  on  each  file 
to  show  that  appropriate  approvals  and  monitoring  took  place. 


Good  controls 
over  approving 
research  expenses 

Inconsistent 
interpretation  and 
application  of 
policies 


Process  defined  to 
open  and  maintain 
accounts 


Monitoring  compliance  processes — we  saw  no  cases  where  spending  on  a 
project  started  before  a  research  account  was  opened  or  a  sponsor  had  approved 
a  grant  award.  Testing  found  no  cases  where  expenses  charged  against  research 
grants  were  not  permitted  by  funding  agencies.  Also,  there  were  no  cases  where 
the  signing  authorities'  policy  (based  on  the  principle  of  one-over-one  approval 
of  research  reimbursement  expenditures)  was  not  followed.  In  addition, 
Financial  Services  reviewed  financial  information  to  ensure  compliance  with 
the  University's  signing  authority  policy.  However,  staff  monitoring 
compliance  with  policies  had  trouble  enforcing  them  because  policies  are 
inconsistently  interpreted.  In  some  cases,  Research  Services  stated  that  policies 
did  not  apply  because  they  were  non-routine  projects.  As  a  result,  policies  are 
inconsistently  applied.  Despite  the  issues,  Financial  Service  staff  were  generally 
effective  in  applying  financial  controls  over  the  projects. 

Financial  Services  relies  on  Research  Services  to  properly  administer  research 
from  the  proposal  stage  until  the  authorization  to  open  a  research  account  is 
provided.  Research  Services  maintains  files  on  each  research  grant  or  contract 
and  administers  the  documentation  for  approvals.  Financial  Services  receives 
from  Research  Services  the  appropriate  documentation  to  open  research 
accounts. 


Approval  process 
not  followed 


Missing 
information  on 
files 


For  one  file,  the  Vice  President  Research  asked  Financial  Services  to  open  an 
account.  There  was  no  documentation  in  the  fund  file  (except  for  an  account 
number  and  balance)  to  explain  why  the  account  was  opened  and  who  had 
approved  it.  Current  policy  for  approving  the  account  was  not  followed. 
Financial  Services  staff  said  they  cannot  enforce  compliance  with  policies  when 
Research  Services  considers  a  research  project  to  be  unusual,  "one-off,"  or  non- 
routine.  For  the  one  exception,  Financial  Services  sought  further  explanations 
from  the  Vice  President  Research  to  confirm  the  approval  of  account. 

Financial  Services  appropriately  monitored  budgets  based  on  the  requirements 
of  the  funding  agencies — on  an  aggregate-budget  basis  or  a  budget-component 
basis.  One  of  the  20  files  had  no  budget  information,  and  other  documentation, 
such  as  the  application  and  research  proposal,  was  also  missing.  The  account 
was  not  overspent.  Again,  Research  Services  said  this  account  was  non-routine 
because  it  related  to  a  transfer  of  funds  from  another  institution. 
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Lack  of  training 
on  policies 


Awareness  of,  and  access  to,  all  relevant  policies— Research  Ser\  ices 
administrators  give  advice  on  policies  to  researchers.  All  researchers  have 
access  to  and  are  aware  of  policies  on  the  University's  website.  However, 
researchers  don't  have  to  show  that  they  have  read  and  understood  the  policies. 
All  new  researchers  are  supposed  to  attend  training  sessions  on  research 
policies,  guidelines  and  expectations.  The  University  used  to  schedule  training 
sessions  to  promote  awareness  of  changes  to  policies  and  updates  in  controls. 
But  the  sessions  were  poorly  attended,  and  the  University  has  not  investigated 
how  to  improve  attendance.  Researchers  are  supposed  to  learn  on  the  job,  with 
minimal  additional  guidance.  Scheduled  internal  training  programs  to  provide 
interpretative  guidance  on  policies  were  not  evident  for  current  researchers. 
Also,  there  are  no  scheduled  internal  training  sessions  for  research 
administrators  in  Research  Services  and  Financial  Services  staff. 


Implications  and  risks  if  recommendation  not  implemented 

Without  good  account-approval  processes,  clear  and  comprehensive  policies, 
and  training  of  staff,  controls  over  research  may  fail  and  the  University  may 
lose  funding  if  research  sponsors'  needs  are  not  met. 

2.3.2.4  Periodic  reporting  to  the  Board  of  Governors  on  financial  risks 
Recommendation 

We  recommend  that  University  of  Lethbridge  management  periodically 
report  to  the  Board  of  Governors  key  information  on  financial  risks  in 
research  management. 

Criteria:  the  standards  we  used  for  our  audit 

The  University  should  have  effective  processes  to  periodically  report  key 
information  on  financial  risks  in  research  management  to  the  Board  of 
Governors. 


Criteria  partly  met 


Our  audit  findings 

The  University  partly  met  the  criteria. 


Information 
systems  deliver 
timely  and 
accurate 
information 


Researchers  are  satisfied  with  the  web-based  financial  reporting  systems  at  the 
University,  which  deliver  timely  and  accurate  information.  Researchers  report 
progress  on  their  research  accounts  to  funding  agencies.  Financial  Services 
prepares  final  and  interim  financial  reports  showing  use  of  funds  and  sends 
them  to  funding  agencies. 


Key  research 
information  for 
Board  lacking 


The  President  meets  weekly  with  the  vice  presidents  to  discuss  risks  and  other 
key  information.  The  Board  routinely  receives  aggregated  financial  information 
on  teaching,  research  and  ancillary  operations  activities  so  it  can  assess  the 
University's  overall  performance.  But  minutes  of  Board  of  Governors  meetings 
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and  discussions  with  research  management  confirm  that  the  Board  does  not 
regularly  receive  key  information  on  financial  risks  in  research  management. 
For  example,  the  Board  did  not  get  specific  information  on  commitments  of 
contributors  to  match  funding  of  research  agencies  on  large-scale  research 
projects.  As  a  result,  the  Board  may  not  know  some  financial  risks  in  research 
management. 

Here  is  an  example  showing  that  the  process  to  assess  risks  of  matching  funds 
and  report  the  risks  to  the  Board  is  deficient.  For  one  grant  for  a  group  of 
projects,  the  University  sought  funding  from  a  federal  government  granting 
agency.  The  University  represented  that  it  expected  funding  to  be  matched  by 
contributions  from  an  existing  Government  of  Alberta  grant  program,  which 
had  previously  matched  funds  for  similar  grants.  However,  the  University  did 
not  have  an  agreement  with  Government  of  Alberta  to  confirm  its  commitment 
to  match  funds.  After  the  federal  government  paid  its  grant,  the  University  was 
unsuccessful  in  securing  matching  funds  from  the  Government  of  Alberta.  As  a 
result,  the  University  had  an  estimated  $700,000  shortfall  and  had  to  fund  the 
project  internally.  The  Board  of  Governors  was  not  informed  of  the  risk  that 
one  of  the  grantors  may  not  pay  the  matching  contributions.  After  management 
learned  of  the  shortfall,  it  obtained  Board  approval  to  use  internal  funds  to 
match  contributions  of  the  granting  agency. 

Implications  and  risks  if  recommendation  not  implemented 

The  University's  Board  of  Governors  may  not  know  the  key  risks  in  research 
management.  Without  good  information,  the  Board  cannot  properly  assess  if 
the  risks  are  adequately  managed. 


Deficient  process 
to  assess  risks  and 
inform  Board 


2.4  Review  accounting  treatment  for  Universities  Academic  Pension  Plan  for 
all  universities 
Recommendation  No.  23 

We  recommend  that  the  four  Alberta  universities  continue  to  work 
together — and  with  the  Department  of  Advanced  Education  and 
Technology — to  review  the  accounting  treatment  for  the  unfunded  liability 
of  the  Universities  Academic  Pension  Plan. 


Universities 
participate  in 
pension  plan 


Background 

The  Universities  participate,  together  with  the  Banff  Centre,  in  the  Universities 
Academic  Pension  Plan  (the  Plan).  The  Plan  is  a  registered,  defined-benefit 
pension  plan  that  pays  retirement,  disability,  spousal/survivor,  and  termination 
benefits  to  eligible  members  or  their  eligible  survivors. 


Plan  deficiencies 
and  funding 
arrangements 


The  Plan's  financial  statements  of  December  31,  2007  reported  an  unfunded 
liability  of  $535.8  million  at  December  2007— $501.3  million  for  pre-1992  and 
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$34.5  million  for  post- 1991.  The  unfunded  liability  for  service  before 
January  1.  1992  is  financed  by  additional  contributions  from  the  Province  of 
Alberta,  employers  and  employees.  The  Province  pays  1.25%  of  salary  and  the 
balance  of  the  required  contributions  is  equally  split  between  employees  and 
employers.  The  employers  and  employees  are  equally  responsible  for  the  post- 
1991  liability.  The  Department  of  Finance  and  Enterprise  records  the 
government's  share  of  the  liability. 


Last  year, 
universities  had 
inconsistent 
information  on 
Plan  valuation  and 
their  liability 


Last  year,  there  were  four  different  valuations  for  the  Plan:  from  the  Plan 
administrators,  the  Department  of  Finance  and  Enterprise,  the  University  of 
Alberta  and  the  University  of  Calgary.  As  a  result,  the  universities  did  not  have 
consistent  information  to  determine  their  respective  shares  of  the  unfunded 
liability,  and  therefore  did  not  record  the  liability  in  their  financial  statements. 
The  Universities  recorded  in  the  financial  statements  the  total  amount  paid 
during  the  year  to  fund  the  benefits  promised  instead  of  the  total  liability  for 
retirement  benefits  outstanding.  We  believe  that  the  universities  should  work 
together  to  reach  a  common  approach  to  accounting  for  the  liability  and 
estimating  their  respective  share  of  the  liability. 


Criteria:  the  standards  we  used  for  our  audit 

The  universities  should  provide  relevant  and  useful  information  in  their 
financial  statements. 


Consistent 
information  this 
year 


Our  audit  findings 

The  Department  of  Advanced  Education  and  Technology  worked  with  the 
universities  to  coordinate  the  actuarial  valuation  of  the  unfunded  liability  for  the 
plan.  The  table  below  sets  out  the  information  on  the  actuarial  valuation1  of  the 
unfunded  liability  at  March  31,  2008  based  on  accounting  standards  for  not-for- 
profit  organizations  (CICA  3461)  and  accounting  standards  for  public 
sector  organizations  (PSAB  3250).  A  difference  arises  between  the  standards  as 
they  use  a  different  estimate  of  a  discount  rate  for  pension  liabilities.  The 
allocation  between  universities  is  based  on  a  percentage  of  payroll,  consistent 
with  the  ongoing  operation  of  the  Plan,  and  the  basis  on  which  universities 
contribute  to  it. 


Actuarial  valuations  by  Mercer  (Canada)  Limited  dated  April  16.  2008. 
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Why  unfunded 
liability  not 
recorded  in 
financial 
statements 


Unfunded  liability 
disclosed  in 
financial 
statement  notes 


Current 
accounting 
treatment  in 
accordance  with 
accounting 
standards 

But  may  not 
provide  most 
meaningful 
information  to 
readers 

Recommendation 
intended  to 
improve  financial 
reporting — 
nothing  else 


Percent  of 
total  Payroll 
basis 

Not-for-profit  Accounting 
Standards 
(millions) 

Public  Sector  Accounting 
Standards 
(millions) 

Pre-1992 

Post-1991 

Total 

Pre-1992 

Post- 1991 

Total 

University  of  Alberta 

49.1% 

106.55 

70.25 

176.80 

85.15 

28.38 

113.53 

University  of  Calgary 

35.9% 

77.91 

51.36 

129.27 

62.25 

20.74 

82.99 

University  of  Lethbridge 

8.8% 

19.1 

12.59 

31.69 

15.26 

5.08 

20.34 

Athabasca  University 

4.8% 

10.42 

6.87 

17.29 

8.32 

2.77 

11.09 

Banff  Centre 

1.3% 

2.82 

1.86 

4.68 

2.25 

0.75 

3.00 

Trustee's  Office 

0.1% 

0.22 

0.14 

0.36 

0.17 

0.06 

0.23 

Sub-total 

217.02 

143.07 

r  360.09 

173.4 

57.78 

r  231.18 

Government  share 

252.73 

0 

252.73 

226.41 

0 

226.41 

Employees  share 

217.02 

143.07 

360.09 

173.39 

57.78 

231.17 

Total 

686.77 

286.14 

972.91 

573.2 

115.56 

688.76 

The  universities  have  not  recorded  their  share  of  the  unfunded  pension  liability 
in  their  financial  statements  because: 

•  they  are  still  working  toward  an  agreement  on  a  reasonable  basis  to 
calculate  each  university's  share  of  the  liability. 

•  proposed  changes  to  the  Plan  may  significantly  affect  the  liability. 

The  universities  recorded  their  contributions  in  accordance  with  accounting 
standards  as  expenses  in  the  year  of  payment  or  when  due,  and  disclosed  in  the 
notes  additional  information  on  the  Plan  such  as  the  unfunded  liability, 
contribution  rates,  and  the  percentage  of  their  membership  in  the  Plan. 

While  the  universities'  current  approach  uses  accounting  principles  for  not-for- 
profit  organizations,  the  universities  should  work  together  to  review  the 
accounting  treatment  for  the  unfunded  liability,  considering  accounting 
standards  and  legislative  requirements.  If  the  universities  can  calculate  their 
share  of  the  liability,  recording  this  amount  would  provide  better  information  to 
users  of  their  financial  statements.  Universities  should  agree  on  the  consistent 
treatment  of  the  unfunded  liability  in  their  respective  financial  statements,  and 
the  proper  presentation  of  the  liability  in  their  financial  statements  and  those  of 
the  Ministry  of  Advanced  Education  and  Technology. 

We  intend  the  recommendation  to  improve  the  financial  reporting  of  the 
liability  based  on  some  reasonable  assumptions  that  all  universities  agree  to  and 
to  ensure  their  financial  statements  comply  with  accounting  standards.  The 
recommendation  does  not  mean  that  universities  should  change  the  ongoing 
operation  of  the  Plan. 


Implications  and  risks  if  recommendation  not  implemented 

Financial-statement  users  may  not  fully  understand  the  universities  liabilities. 
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Performance  reporting 


Financial  statements 

This  chapter  includes  the  results  of  our  March  31,  2008  financial-statement  and 
performance  measures  audits  of  the  following  entities,  which  we  completed  since 
our  April  2008  Report. 

Ministry  of  Advanced  Education  and  Technology 
Department  of  Advance  Education  and  Technology 
Access  to  the  Future  Fund 
Alberta's  four  universities 
Alberta  Research  Council 
iCORE  Inc. 

Alberta  Heritage  Foundation  for  Medical  Research 
Alberta  Heritage  Foundation  for  Science  and  Engineering  Research 


Unqualified 
auditor's  reports 


Net  assets  would 
have  increased  by 
S4  billion 


Our  April  2009  report  will  include  the  results  of  the  financial-statement  audits  of 
public  colleges,  technical  institutions  and  their  related  entities.  These  entities  have  a 
June  30,  2008  year-end  and  our  work  will  be  completed  by  November  2008. 

Our  auditor's  reports  on  the  financial  statements  of  the  Ministry,  Department, 
Alberta  Research  Council,  iCORE  Inc.,  and  the  Access  to  the  Future  Fund  for  the 
year-ended  March  31,  2008  are  unqualified. 

The  Ministry  included  the  financial  statements  of  public  post-secondary  institutions 
using  the  modified  equity  basis  of  consolidation.  The  modified  equity  method  of 
consolidation  is  allowed  as  a  transition  to  line-by-line  consolidation,  which  will  be 
required  for  the  year  ending  March  31,  2009.  Under  line-by-line  consolidation,  the 
Ministry's  capital  assets  would  have  been  fully  consolidated  so  net  assets  at 
March  31,  2008  would  have  increased  by  approximately  $4  billion. 


Our  auditor's  reports  on  the  financial  statements  of  the  Alberta  Heritage  Foundation 
for  Medical  Research,  and  Alberta  Heritage  Foundation  for  Science  and 
Engineering  Research  for  the  year  ended  March  31.  2008  are  unqualified. 


Universities  and  their  related  entities 

We  audited  the  financial  statements  for  the  year  ended  March  31,  2008  of  the 
following  entities: 

•  Athabasca  University 

•  University  of  Alberta 

•  University  of  Calgary  and  its  subsidiaries/related  entities,  The  Arctic  Institute 
of  North  America,  The  University  of  Calgary  Foundation  (1999),  and  the 
University  Technologies  Group 

•  University  of  Lethbridge 
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Unqualified 
reports  for 
universities,  but 
fourth  paragraph 
added 


Auditor's  report 
for  Olympique 
Oval/Anneau 
Olympique 
qualified 


We  also  audited  financial  information  of  the  Olympic  Oval/Anneau  Olympique, 
operated  by  the  University  of  Calgary. 

Our  auditor's  reports  on  the  financial  statements  of  the  universities  and  their  related 
entities,  except  for  the  Olympic  Oval/Anneau  Olympique,  are  unqualified. 
However,  we  added  a  fourth  paragraph  to  draw  attention  to  the  notes  in  the  financial 
statements  that  describe  the  unfunded  liability  of  the  Universities  Academic  Pension 
Plan.  This  may  affect  the  Universities'  future  financial  statements.  Universities 
should  continue  to  work  together  and  with  the  Department  to  review  the  accounting 
treatment  of  the  unfunded  liability  of  the  Universities  Academic  Pension  Plan. 

Our  auditor's  report  on  the  financial  information  of  the  Olympic  Oval/Anneau 
Olympique,  operated  by  the  University  of  Calgary,  is  qualified  because  the 
statement  of  base  operating  costs  and  revenues  does  not  include  all  the  revenues  and 
expenses  for  maintaining,  managing  and  operating  the  Oval  facility.  We  could  not 
reasonably  determine  the  amount  of  excluded  revenues  and  expenses. 


Performance  measures 
One  exception        We  found  one  exception  on  the  specified  auditing  procedures  report  on  the 

Ministry's  performance  measure — ICT  Research  -  ratio  of  private  and  other  public 
investments  to  GOA  investments.  We  were  unable  to  match  information  from 
external  third  party  consultant  reports  to  information  that  the  Ministry  used  to 
calculate  the  results.  Therefore,  we  were  unable  to  conclude  that  the  results 
presented  were  reliable  and  comparable. 
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Agriculture  and  Food 


Our  audit  findings  and  recommendations 

1.   Agriculture  Financial  Services  Corporation 

1.1  Controls  for  manual  Canadian  Agricultural  Income  Stabilization  Claims — 
Implemented 

In  our  2006-2007  Annua]  Report  (pages  35  and  36),  we  recommended  that  the 
Agriculture  Financial  Services  Corporation  (Corporation)  improve  data-entry 
controls  for  manual  Canadian  Agricultural  Income  Stabilization  claims. 


Controls  over 
manual  claims 
improved 


The  Corporation  improved  controls  over  data  entry  for  manual  CAIS  claims  by: 

•  implementing  additional  review-and-verification  procedures  for  manual 
claims. 

•  informing  staff  of  the  importance  of  a  proper  review  and  of  accuracy  of 
data  to  meet  its  objectives. 

•  ensuring  manually  processed  claims  are  eventually  processed  through  the 
electronic  system  to  detect  any  errors. 


1.2  Developing  and  monitoring  compliance  with  an  information  technology 
security  policy — implemented 

In  our  2005-2006  Annual  Report  (vol.  2,  page  43),  we  recommended  that  the 
Corporation: 

•  improve  information  system  security  awareness. 

•  improve  monitoring  of  compliance  with  its  computer  access  policy  and 
procedures. 


Improved  training 
and  monitoring 
controls 


The  Corporation  implemented  the  recommendations  by: 

•  providing  security  awareness  training  to  employees. 

•  implementing  computer  access  policies  and  monitoring  their  effectiveness. 


Unqualified 
auditor's  reports 


Performance  reporting 


Financial  statements 

Our  auditor's  reports  on  the  Ministry  and  Department's  financial  statements  for  the 
year  ended  March  31,  2008  are  unqualified. 


Our  auditor's  report  on  the  Agriculture  Financial  Services  Corporation's  financial 
statements  for  the  year  ended  March  31,  2008  is  unqualified. 
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We  issued  unqualified  auditor's  reports  on  the  reconciliations  of  program  payments 
for  the  Canadian  Agricultural  Income  Stabilization  Program  years  ended 
March  31,  2004,  2005  and  2006. 


Performance  measures 
No  exceptions        yVe  found  no  exceptions  when  we  applied  specified  auditing  procedures  on  the 
Ministry's  performance  measures  in  the  Ministry's  2007-2008  Annual  Report. 
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Department 

implemented 

recommendation 


Department 

implemented 

recommendation 


Children's  Services 

Our  audit  findings  and  recommendations 

1 .  First  nation  expense  recoveries — implemented 

In  our  2004-2005  Annua]  Report  (page  130),  we  recommended  that  the 
Ministry  improve  its  systems  to  recover  expenses  for  providing  services  to 
children  and  families  ordinarily  resident  on  reserve. 

The  Department  implemented  our  recommendation  by: 

•  documenting  the  processes  and  controls  the  Child  and  Family  Services 
Authorities  (Authorities)  were  to  follow  for  billing  the  Designated  First 
Nations  Agencies. 

•  reviewing  quarterly  the  Authorities'  reconciliations  between  billings  and 
receipts  and  following  up  with  the  Authorities  on  old  accounts  receivable. 

2.  Costs  and  results  of  information — implemented 
Background 

In  our  2000-2001  Annual  Report  (page  62),  we  recommended  that  the  Ministry 
improve  the  systems  that  report  costs  and  results  of  operations. 

The  Department  implemented  our  recommendation  by: 

•  requiring  Authorities  to  implement  consistent  policies  and  procedures. 

•  developing  information  systems  for  each  of  its  key  programs. 

•  establishing  performance  targets  for  each  program  with  the  available 
information. 


Unqualified  audit 
opinions 


Performance  reporting 

Financial  statements 

We  issued  unqualified  audit  opinions  on  the  financial  statements  of  the  Ministry, 
Department,  and  the  following  10  Authorities,  for  the  year  ended  March  31,  2008: 

•  Calgary  and  Area  Child  and  Family  Services  Authority 

•  Central  Alberta  Child  and  Family  Services  Authority 

•  East  Central  Alberta  Child  and  Family  Services  Authority 

•  Edmonton  and  Area  Child  and  Family  Services  Authority 

•  Metis  Settlements  Child  and  Family  Services  Authority 

•  North  Central  Alberta  Child  and  Family  Services  Authority 

•  Northeast  Alberta  Child  and  Family  Services  Authority 

•  Northwest  Alberta  Child  and  Family  Services  Authority 

•  Southeast  Alberta  Child  and  Family  Services  Authority 
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•     Southwest  Alberta  Child  and  Family  Services  Authority 

Performance  measures 
No  exceptions       We  found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 
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Education 

Our  audit  findings  and  recommendations 

Risk  management— implemented 

In  our  2001-2002  Annual  Report  (No.  36,  page  192),  we  recommended  that  the 
Department  of  Education  (formerly  Learning)  establish  a  risk  management  process 
to  improve  the  effectiveness  of  its  control  and  monitoring  activities.  This  was  a 
continuation  of  a  recommendation  first  made  in  1999. 


Risk  management 
processes 


The  Department  implemented  our  recommendation  by: 

•  Establishing  a  process  to  identify  and  prioritize  risk. 

•  Designing  strategies  for  managing  risk. 

•  Allocating  resources  to  areas  of  the  greatest  risk. 

•  Developing  a  common  language  and  framework  for  understanding  and 
communicating  important  issues. 

•  Allowing  for  measurement,  monitoring  and  reporting. 


Unqualified 
auditor's  report 


Performance  reporting 

Financial  statements 

Our  auditor's  reports  on  the  financial  statements  of  the  Ministry,  Department,  and 
the  Alberta  School  Foundation  Fund  for  the  year  ended  March  3 1 ,  2008  are 
unqualified. 

The  modified  equity  method  of  consolidation  is  allowed  as  a  transition  to 
line-by-line  consolidation,  which  will  be  required  for  the  year  ending 
March  31,  2009. 


Net  assets  would 
have  increased  by 
$2.7  billion 


Under  line-by-line  consolidation,  the  Ministry's  capital  assets  would  have  been  fully 
consolidated  so  net  assets  at  March  31,  2008  would  have  increased  by 
approximately  $2.7  billion. 


Performance  measures 
No  exceptions        We  found  no  exceptions  when  we  applied  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 
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Improve 
monitoring  and 
enforcement 


WCB:  improve 

purchasing 

controls 


Employment,  Immigration  and 
Industry 

Summary  of  our  recommendations 

The  Department  should  improve  its  systems  to  approve  tuition-based  training 
programs  and  monitor  and  enforce  training  providers'  compliance  with  legislation 
and  policies— see  pages  245  and  249.  The  Department  should  also  improve  the  use 
of  its  information  systems — see  page  251. 

The  Workers'  Compensation  Board  should  consistently  enforce  its  employee 
purchasing  card  procedures — see  page  253. 


Department  paid 
$52  million  tuition 
in  2006-07 
academic  year 


Department  pays 
tuition  for 
approved 
programs  so 
people  can 
improve  skills 


More  than  200 
training  providers 
receive  tuition- 
based  funding 


Our  audit  findings  and  recommendations 

1 .    Department — Systems  to  provide  tuition-based  training  to  learners 
1.1  Summary 

The  Department  of  Employment  and  Immigration's  tuition-based  funding 
program  has  operated  since  2002-2003.  For  the  2006-2007  academic  year,  the 
Department  spent  $52!  million  in  tuition  fees  to  upgrade  eligible  learners' 
(students')  employment  skills  or  prepare  learners  for  further  training.  During 
the  year,  the  Department  paid  tuition  and  benefits  for  about  13,0002  learners. 

The  Department's  delivery  model  for  the  program  allows  learners  to  select  a 
training  provider  and,  if  the  program  is  approved  and  the  learner  is  eligible,  the 
Department  pays  the  tuition  fee  for  the  learner  directly  to  the  training  provider. 
Approved  programs  include  occupational  programs  such  as  legal  assistant  and 
practical  nurse,  and  pre-occupational  programs  such  as  academic  upgrading  and 
English  as  an  Additional  Language. 

The  Department  provides  tuition-based  training  through  four  main  types  of 
training  providers — private  vocational  schools,  accredited  schools,  private 
providers,  and  public  post-secondary  institutions.  Currently,  more  than 
200  training  providers  receive  tuition-based  funding  from  the  Department. 
Approximately  40  of  these  training  providers  also  provide  case  management 


1  The  source  of  the  tuition  fee  payments  is  based  on  an  analysis  of  IMAGIS  payment  data  from  September  1 ,  2006  to 
August  31.  2007. 

2  The  source  of  the  number  of  learners  is  based  on  an  analysis  of  IMAGIS  payment  data  from  September  1.  2006  and 
August  31,  2007. 
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c 


Case  management 
services  for 
learners 


services  to  learners  under  an  accountability  framework  agreement  (AFA)  with 
the  Department.  The  Department  and  third  party  contractors  provide  case 
management  services  for  learners  who  do  not  attend  an  AFA  provider. 

Case-management  services  are  key  in  delivering  tuition-based  training.  These 
services  include  assessing  learner  eligibility,  monitoring  learner  progress  and 
attendance,  and  following  up  to  see  if  learners  have  found  employment  or 
moved  on  to  further  training.  Case  managers  work  with  learners  to  ensure  that 
they  receive  appropriate  training  and  to  monitor  their  progress. 


Does  Department 
have  good  systems 
to  run  program 


We  examined  whether  the  Department  has  adequate  systems  to  approve  tuition- 
based  training  programs  and  to  monitor  and  enforce  training  providers' 
compliance  with  legislation  and  policies.  We  also  examined  the  Department's 
response  to  allegations  against  Canadian  College  Institute  International  (CCII) 
and  CDI  College  Edmonton  (CDI)  of  non-compliance  and  misuse  of  public 
funds. 


Scope  excludes 
contracted  courses 
and  financial 
benefits  to  learners 


Department  needs 
to  set  clear 
expectations  and 
measure  results 


Monitoring 
program  does  not 
consider  outcomes 
or  routinely 
quantify  refunds 


Inconsistent 
follow  up  on 
compliance 
problems 


We  did  not  examine  training  provided  to  learners  where  the  Department 
contracts  with  a  training  provider  to  deliver  a  specific  program  to  a  group  of 
learners  or  where  the  Department  directly  delivers  training  to  learners.  Also,  we 
did  not  examine  systems  to  issue  living  allowances  or  Alberta  Health  Benefit 
cards  or  Apprenticeship  Program  payments. 

The  Department  has  policies  and  procedures  for  approving  and  renewing 
training  programs.  It  can  improve  them  by  setting  clear  performance 
expectations  for  training  programs  and  providers  when  it  approves  a  program 
and  by  considering  performance  results  in  the  renewal  process. 

The  Department  has  an  established  monitoring  program  for  training  providers 
that  identifies  cases  of  training  provider  non-compliance  with  Department 
policy  and  legislative  requirements.  However,  the  monitoring  process  does  not 
assess  a  training  provider's  achievement  of  learner  outcomes.  Also,  this 
monitoring  process  does  not  routinely  quantify  tuition  fee  refunds  payable  to 
the  Department  if  the  training  provider  is  not  complying  with  withdrawal 
policies. 

The  Department's  processes  for  following  up  non-compliance  problems  with 
training  providers  are  inconsistent  and  policies  and  procedures  are  not  clearly 
defined. 
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CCII  follow-up 
reasonable;  CDI 
did  not  go  far 
enough 


Three 

recommendations 
to  improve 
systems 


We  found  that  the  Department  took  reasonable  steps  to  respond  to  a  public 
complaint  alleging  non-compliance  and  misuse  of  public  f  unds  by  CCII.  The 
Department's  review  of  CDI  did  not  go  far  enough  to  identify  potential  tuition 
fee  refunds  payable  to  the  Department. 

Our  main  recommendation  is  for  the  Department  to  improve  its  processes  for 
monitoring  training  providers'  compliance  with  department  policies  and 
legislated  requirements.  We  also  recommend  that  the  Department  develop  and 
communicate  its  performance  expectations  to  training  providers  and  improve 
the  use  of  its  information  systems  to  manage  the  program. 


2.    Findings  and  recommendations 
2.1  Monitoring  and  enforcement  of  training  providers 
Recommendation  No.  24 

We  recommend  that  the  Department  of  Employment  and  Immigration 
improve  its  monitoring  of  tuition-based  training  providers  by: 

•  assessing  whether  performance  expectations  are  being  met. 

•  quantifying  tuition  refunds  that  may  be  owing  to  the  Department. 

•  implementing  policies  and  procedures  that  outline  steps  and  timelines 
for  dealing  with  non-compliance  problems. 


Auditing  firm 
assesses  training 
providers* 
compliance 


Comprehensive 
report  on  results  of 
compliance  audits 


Background 

Monitoring  systems 

The  Department  has  hired  an  auditing  firm  to  annually  monitor  and  assess 
training  providers'  compliance  with  the  Training  Provider  Regulation  and 
Department  policies.  The  firm  conducts  audits  on  a  sample  of  all  training 
providers.  It  uses  a  risk-based  methodology  to  decide  which  training  providers 
to  audit.  The  audits  examine  training  provider  compliance  in  key  areas  of 
training  provider  responsibility  such  as  maintaining  records  of  learners' 
progress,  attendance  and  withdrawals.  If  the  training  provider  is  an  AFA  holder, 
the  audit  also  examines  compliance  with  case-management  responsibilities  such 
as  assessing  learner  eligibility  and  conducting  follow-up  assessments  to  see  if 
learners  have  found  employment. 

The  firm  provides  a  comprehensive  report  to  the  Department  on  the  results  of 
each  audit.  The  report  provides  a  compliance  rate  for  each  area  of  responsibility 
and  then  calculates  an  overall  compliance  rate  for  that  training  provider.  The 
firm  makes  recommendations  to  training  providers,  based  on  its  review  of  them. 
The  firm  also  gives  the  Department  a  report  summarizing  the  results  of  all 
audits  and  identifying  overall  areas  of  non-compliance  and  risk. 
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Staff  at  six 
regional  offices 
must  follow  up  on 
results  of  reports 


Remedies  under 
Act 


Monitoring 
processes  can  be 
improved 


No  clear  targets 


Learner  outcomes 
not  assessed 


Follow-up  on  monitoring  reports 

Staff  at  the  Department's  six  regional  offices  follow-up  on  the  results  of 
compliance  audits.  Staff  also  follow-up  on  complaints  and  inquiries  from 
learners.  Follow-up  consists  of  site  visits  of  training  providers  by  regional 
management  to  discuss  implementing  the  firm's  recommendations  or  to 
investigate  complaints. 

The  Income  Support  Act  describes  remedial  action  available  if  training 
providers  do  not  comply  with  the  Actor  Regulation.  The  Department  can: 

•  withhold  later  payments  if  a  tuition  fee  is  not  refunded. 

•  restrict  the  number  of  learners  a  training  provider  may  accept. 

•  terminate  or  suspend  agreements. 

•  audit  the  books  and  records  of  the  training  provider. 

•  issue  a  notice  of  an  administrative  penalty. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  have  a  process  to  monitor  and  enforce  training 
providers'  compliance  with  legislation,  program  objectives,  and  any 
accountability  agreements. 

Our  audit  findings 

Monitoring 

The  Department  has  a  process  to  monitor  training  providers  that  involves 
auditing  them  using  a  risk-based  audit  approach.  The  existing  monitoring 
process  is  working  as  designed  but  the  Department  needs  to  improve  the 
effectiveness  of  its  processes. 

The  Department  has  not  established  target  compliance  rates  to  guide  its 
monitoring  activities.  Target  compliance  rates  for  each  key  area  of  training 
provider  responsibility  such  as  maintaining  adequate  records  of  learner  progress 
and  recording  withdrawals  would  help  the  Department  focus  on  significant  non- 
compliance issues. 

The  monitoring  process  does  not  assess  a  training  provider's  achievement  of 
learner  outcomes  because  performance  expectations  for  a  specific  program  have 
not  been  communicated  to  training  providers.  Without  clear  performance 
expectations  and  targets  it  is  difficult  to  conclude  whether  a  training  provider  is 
meeting  the  Department's  expected  outcomes  and  what  follow-up  action  is 
required. 
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Determine 
potential  refunds 
from  withdrawals 


Compliance  not 

consistently 

enforced 


Inconsistent 
follow-up  of 
monitoring  reports 
and  action  plans 


Give  staff  and 
training  providers 
guidance  on 
enforcement 


The  Department's  compliance  audits  identify  a  training  provider's  compliance 
rates  in  recording  student  withdrawals  from  programs.  However,  the 
Department  does  not  require  compliance  audits  to  routinely  determine  the 
amount  of  any  tuition  fee  refunds  arising  from  these  withdrawals. 

Follow-up  on  monitoring  reports 

The  Department  has  a  process  to  follow  up  with  training  providers  to  review 
monitoring  results  and  develop  action  plans  to  deal  with  non-compliance 
matters.  However,  the  processes  to  follow  up  on  non-compliance  matters  are 
not  consistently  applied  and  enforced. 

The  Department  does  not  consistently  follow  up  on  the  results  of  the  monitoring 
reports.  Regions  are  inconsistent  in  how  to  correct  compliance  problems 
identified  in  the  monitoring  reports.  In  some  cases,  regional  area  staff  work  with 
training  providers  to  develop  plans  to  correct  problems.  However,  the 
Department  does  not  require  action  plans  in  all  cases.  Also,  the  steps  the  regions 
take  are  not  adequate  to  confirm  compliance  problems  are  corrected. 

The  Department  needs  to  provide  guidance  for  staff  to  help  them  determine  the 
enforcement  actions  to  take  with  a  non-compliant  training  provider.  The  Income 
Support  Act  provides  several  enforcement  options,  but  the  Department  policies 
do  not  clearly  indicate  when  to  take  these  steps.  Any  such  guidance  or  policy 
should  also  be  communicated  to  training  providers  so  they  are  aware  of  the 
steps  that  will  be  taken  to  enforce  compliance. 


Complaint  of  non- 
compliance and 
misuse  of  funds 


Canadian  College  International  Institute  (CCII) 

In  July  2004,  the  Department  received  a  complaint  about  CCII  alleging  non- 
compliance in  a  number  of  areas  and  the  misuse  of  public  funds.  Allegations 
included: 

•  falsification  of  grades  and  attendance  records. 

•  the  reduction  of  instruction  hours  below  the  minimum  requirements. 


Department  took 
reasonable  steps  to 
investigate 


We  examined  whether  the  Department  took  reasonable  steps  to  assess  the 
allegations  and  identify  non-compliance  issues. 

Overall,  we  found  that  the  Department  took  reasonable  steps  to  follow  up  on  the 
complaint.  From  August  2004  to  September  2005,  it  took  several  actions  to 
assess  the  extent  and  cost  of  non-compliance.  The  Department  hired  an  auditing 
firm  to  conduct  two  special  audits  of  CCII,  in  addition  to  the  regular  compliance 
audits  that  it  carries  out  each  year.  Also,  the  Department  consulted  with  the 
Ministry  of  Justice.  It  then  worked  with  CCII  to  review  records  and  conduct 
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additional  procedures  to  determine  non-compliance  costs.  This  work  was  based 
on  an  action  plan  developed  by  CCII  and  the  Department. 


Monitoring  found 
non-compliance  at 
CCII 


More  problems 
found  with 
attendance  and 
repeated  courses 


Department  and 
CCII  agreed  on 
two  plans 


Another  audit  to 
calculate  non- 
compliance costs 

Firm  calculated 
non-compliance 
cost  of  $59,312 


Department 
reviewed  costs  and 
agreed  to  $22,362 
reimbursement 
from  CCII 


Improve  process 
for  compliance 
with  specific  steps 
and  timelines 


Audit  insufficient 
to  identify  refunds 
due  to  non- 
compliance 


The  following  summarizes  the  Department's  steps  on  the  CCII  complaint: 

•  In  August  2004,  the  auditing  firm  conducted  its  regularly  scheduled 
compliance  audit  and  identified  a  number  of  compliance  problems, 
including:  unauthorized  repeating  of  classes;  progressing  students  when 
they  failed  a  course;  exceeding  the  unexcused  absence  limit;  and  inaccurate 
information  in  attendance  records. 

•  In  September  2004,  the  Department  asked  the  firm  to  conduct  additional 
procedures  to  determine  if  the  public  complaint  allegations  had  merit  and  to 
calculate  the  cost  of  non-compliance.  In  November  2004,  the  firm  issued  its 
report  to  the  Department,  identifying  problems  with  attendance 
requirements  and  unauthorized  repeating  of  courses. 

•  On  November  29,  2004,  the  Department  met  with  CCII  representatives  to 
discuss  the  audit  results.  They  agreed  on  two  action  plans.  One  focused  on 
solving  the  non-compliance  problem;  the  second  plan  focused  on  the 
process  for  verifying  non-compliance  costs  the  report  identified. 

•  In  January  2005,  the  Department  asked  the  firm  to  do  additional  work  to 
calculate  the  actual  costs  of  non-compliance  and  do  further  procedures  to 
assess  the  allegations  of  manipulated  records. 

•  In  April  2005,  the  firm  submitted  its  report  to  the  Department,  calculating 
non-compliance  costs  of  $59,312.  The  firm  also  gave  a  draft  report  to  CCII, 
which  then  explained  why  it  believed  the  proposed  the  cost  calculation  for 
non-compliance  should  be  reduced. 

•  The  Department  visited  CCII  to  do  its  own  review  and  examine  learner 
files  to  verify  CCII's  submission  to  reduce  non-compliance  costs.  After  the 
Department  finished  its  review,  it  agreed  to  reduce  the  non-compliance 
costs  for  CCII  to  reimburse  to  $22,362  from  $59,312.  One  reason  for  the 
reduction  was  that  the  Department  and  CCII  had  a  different  interpretation 
of  the  deemed  withdrawal  date  set  out  in  the  Training  Provider  Regulation. 
In  September  2005,  the  Department  recovered  $22,362  from  CCII. 

Although  the  Department  responded  reasonably  to  the  complaint,  it  can 
improve  its  processes  by  having  specific  policies  and  procedures  that  clearly 
prescribe  steps  and  timelines  for  dealing  with  non-compliance.  This  would 
support  a  fair  and  consistent  process  for  dealing  with  all  training  providers. 

CDI  College  (CDI)  Edmonton 

The  Department's  compliance  audit  found  that  CDI  repeatedly  failed  to  comply 
with  attendance  and  withdrawal  requirements.  The  Department  developed  an 
action  plan  with  CDI  to  prevent  future  non-compliance.  The  Department  also 


248 


Report  of  the  Auditor  General  of  Alberta— October  2008 


Financial  statement  and  other  assurance  audits 


Employment,  Immigration  and  Industry 


did  its  own  review  to  assess  the  quality  of  case-management  services  that  CDI 
provides  to  learners.  But  the  Department's  audit  did  not  go  far  enough  to 
identify  potential  tuition-fee  refunds  due  to  non-compliance  with  the 
withdrawal  policy. 

Implications  and  risks  if  recommendation  not  implemented 

Training  providers  with  poor  performance  may  continue  to  receive  funding 
from  the  Department  and  provide  training  to  learners. 

2.2  Approving  and  renewing  training  programs 
Recommendation 

We  recommend  that  the  Department  of  Employment  and  Immigration 
improve  its  systems  for  approving  and  renewing  programs  by: 

•  clearly  defining  criteria  for  approving  each  program. 

•  developing  clear  performance  expectations  for  each  program  and 
training  provider. 

•  using  its  monitoring  results  to  decide  whether  to  renew  a  program. 


Department  policy 
has  guidelines  on 
program  approval 


Private  vocational 
programs  licensed 
by  the  Department 
of  Advanced 
Education  and 
Technology 


Department 
approves  some 
programs  based  on 
criteria  in 
Regulation 


Background 

Training  program  and  provider  approval 

The  Training  Provider  Regulation,  approved  in  2003,  outlines  requirements  for 
training  providers  offering  a  tuition-based  program.  It  also  requires  the 
Department  to  approve  the  program.  In  October  2007,  the  Department 
developed  a  policy  with  guidelines  on  program  approval. 

The  Department  relies  on  the  Department  of  Advanced  Education  and 
Technology  to  license  private  vocational  programs  delivered  by  private 
institutions.  For  example,  the  Department  will  pay  the  tuition  for  a  learner  to 
attend  licensed  programs  such  as  professional  legal  assistant  and  information 
technology  specialist  offered  by  private  vocational  schools.  It  also  relies  on 
processes  at  the  Department  of  Advanced  Education  and  Technology  for 
approving  diploma  and  certificate  programs  offered  by  public  post  secondary 
institutions.  The  Department  will  pay  tuition  for  a  learner  to  attend  these 
programs  if  the  programs  do  not  exceed  20  months,  are  not  part  of  a  degree 
program,  and  have  tuition  fees  less  than  $15,000. 

Other  programs  the  Department  approves  must  meet  certain  criteria  prescribed 
in  the  Training  Provider  Regulation.  For  example,  the  Department  must 
consider  whether  employment  opportunities  exist  for  graduates  of  a  particular 
program.  The  Department  must  also  consider  the  likelihood  of  the  training 
provider  meeting  reasonable  performance  expectations  the  Department  sets. 
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Training  providers 
must  apply  for 
approval 


Program  renewal 
done  annually 


The  Department's  approval  process  includes  requiring  the  training  provider  to 
complete  a  comprehensive  application  form.  The  Department  reviews  the 
application  and  then  tells  the  training  provider  whether  it  has  approved  them. 

Training  providers  must  apply  for  renewal  each  year.  Department  policy  sets 
out  the  factors  it  considers  in  renewing  a  program.  If  a  program  is  not  renewed, 
learners  will  not  receive  Department  funding  to  attend  it.  Some  of  the  factors 
are  whether: 

•  tuition  fees  are  reasonable  compared  to  those  in  previous  years  and  similar 
programs. 

•  the  training-provider  audit  and  monitoring  results  are  satisfactory. 

•  performance  outcomes  of  the  training  provider  are  met. 

•  other  training  providers  can  deliver  the  program. 


Establish 
evaluation  criteria 
for  each  program 


Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  have  systems  in  place  to  ensure  that  programs  offered 
by  training  providers  are  approved  and  meet  its  objectives. 

The  Department  should  clearly  define  expectations,  roles  and  responsibilities  of 
training  providers  and  communicate  them  to  training  providers. 

Our  audit  findings 

Criteria  for  approving  each  program 

The  Training  Provider  Regulation  outlines  the  approval  requirements  for 
programs  offered  by  training  providers  and  the  Department  has  developed 
approval  and  renewal  policies  and  procedures.  The  Department  needs  to 
improve  its  approval  process  by  establishing  evaluation  criteria  specific  to  each 
program.  For  example,  the  Department  does  not  have  consistent  criteria  for 
approving  English  as  an  Additional  Language  programs  offered  by  several 
training  providers. 


Training  provider 

responsibilities 

clear 


No  set 
performance 
expectations  for 
training  providers 


Expectations  of  training  providers 

The  Training  Provider  Regulation  outlines  the  roles  and  responsibilities  of 
training  providers  for  providing  programs.  But  the  Department  has  not 
communicated  performance  expectations  for  acceptable  learner  outcomes  or 
compliance  targets  to  training  providers. 

While  the  Department  has  developed  overall  performance  measures  to  assess 
the  success  of  its  Skills  Investment  Program,  it  needs  to  define  expectations  for 
training  providers  more  clearly.  Training  providers  must  comply  with  the 
Income  Support  Act,  the  Training  Provider  Regulation,  and  any  agreement  they 
sign  with  the  Department.  But  the  Department  has  not  set  or  communicated 
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performance  expectations  for  key  success  measures  related  to  learner  outcomes 
such  as  learner  success  in  completing  programs  and/or  obtaining  employment. 
The  Department  has  also  not  communicated  compliance  audit  targets  to  training 
providers  that  cover  key  responsibilities  such  as  compliance  with  Department 
withdrawal  policies. 

The  Department  enters  into  accountability  framework  agreements  for  case- 
management  services  with  certain  training  providers.  These  agreements  outline 
the  training  providers'  responsibilities  for  delivering  case-management  sen  i<  es. 
But  they  do  not  clearly  define  the  Department's  performance  expectations  for 
the  training  provider's  delivery  of  programs.  Performance  expectations  should 
be  part  of  the  AFA  provider  agreements. 

For  non-AFA  training  providers,  the  Department  needs  to  develop  a  way  to 
communicate  expectations  when  it  approves  a  program.  If  a  training  provider 
consistently  fails  to  meet  certain  performance  targets,  the  Department  can 
consider  this  when  assessing  whether  to  renew  a  program. 

Renewing  programs 

The  Department's  policy  for  renewing  a  training  program  is  not  consistently 
followed.  It  assesses  the  reasonableness  of  tuition  fees  at  renewal.  But  staff  do 
not  consistently  consider  other  criteria  set  out  in  its  policy.  Criteria  such  as 
"reviewing  compliance  monitoring  results"  or  "assessing  whether  performance 
expectations  were  achieved"  are  not  consistently  considered  in  renewal 
decisions.  The  problem  arises  partly  because  six  regional  offices  and  several 
regional  staff  are  responsible  for  renewing  programs. 

Implications  and  risks  if  recommendation  not  implemented 

Without  setting  clear  expectations,  the  Department  may  approve  programs  that 
do  not  improve  employment  and  training  outcomes  for  learners. 

2.3  Improve  the  use  of  information  systems 
Recommendation 

We  recommend  that  the  Department  of  Employment  and  Immigration 
improve  the  use  of  its  information  systems  by: 

•  integrating  its  payment-processing  system  with  other  learner  databases 
to  ensure  that  tuition  fee  payments  are  accurate. 

•  implementing  adequate  controls  to  ensure  all  key  learner  data  is 
promptly  updated  in  the  system. 

•  using  exception  reports  to  detect  potential  non  compliance  problems. 


Agreements  do  not 
include 
performance 
expectations 


Communicate 
expectations  to  all 
providers 


Renewal  policy 
not  consistently 
applied 
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Background 

The  Department  uses  three  information  systems  to  manage  this  program: 

•  a  learner-information  database — includes  learner  contact  and  program 
information.  It  also  has  information  on  attendance,  withdrawal,  and 
assessments  done  on  a  learner. 

•  a  payment-processing  system — used  to  process  payments  to  training 
providers  and  learners. 

•  an  approved-programs-and-tuition-fees  database— used  to  track  programs 
eligible  for  funding  for  each  training  provider  and  the  amount  of  the 
approved  tuition  fee.  It  is  updated  annually. 


Three  information 
systems  to  manage 
program 


Criteria:  the  standards  we  used  for  our  audit 

A  process  should  exist  to  confirm  that  the  amount  of  tuition  fees  paid  is 
accurate,  and  refunds  are  promptly  identified  and  collected. 

The  Department  should  have  an  information  system  that  generates  relevant, 
accurate  and  reliable  information  on  training  providers  and  learners  the 
Department  funds. 


Three  systems  not 
integrated 


Tuition  payments 
may  exceed 
approved  amounts 


Payments  may  be 
made  before 
eligibility 
confirmed 


Withdrawal  date 
not  input  for 
learners:  refunds 
may  be  missed 


Our  audit  findings 

The  Department  has  three  information  systems  that  collect  key  data  and  process 
payments  to  training  providers  and  learners.  However,  these  information 
systems  that  support  the  administration  of  the  tuition-based  funding  program 
are  not  integrated.  As  a  result,  the  Department  is  not  using  the  information  in 
the  systems  effectively  and  efficiently  to  manage  the  program. 

The  following  are  some  examples  of  areas  that  need  improvement: 

•  The  Department's  database  stores  information  on  the  approved  maximum 
tuition  fee  for  each  program.  The  database  and  the  payment  system  are  not 
integrated,  and  the  Department  pays  the  tuition  fee  based  on  the  learners' 
application  for  funding,  not  on  the  amount  approved  in  the  database.  As  a 
result,  tuition  payments  may  exceed  the  approved  amount. 

•  One  of  the  information  systems  has  fields  to  be  updated  when  a  case 
manager  assesses  if  a  learner  is  eligible  for  funding.  Because  this  system  is 
not  integrated  with  the  payment-processing  system,  inadequate  controls  are 
in  place  to  ensure  payments  are  processed  only  after  eligibility  is 
confirmed. 

•  Refunds  payable  to  the  Department  under  the  Training  Provider  Regulation 
are  based  on  the  withdrawal  date.  But  this  date  does  not  have  to  be  entered 
into  the  information  system  for  learners  who  have  not  completed  training. 
We  examined  20  samples  where  the  learner  had  not  completed  the 
program— in  1 1  cases,  the  withdrawal  date  was  not  entered  into  the  system. 
So  the  Department  may  not  have  collected  refunds  owed  to  it. 
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Not  all  key  data 
input  to  systems 


Information 
system  not  used 
effectively  to 
detect  or  prevent 
non-compliance 


As  well,  the  Department  has  not  implemented  adequate  controls  to  ensure  all 
data  required  by  case  managers  is  updated  into  the  information  system.  For 
example,  if  a  learner  submits  updated  contact  information  directly  to  the 
Department,  this  information  is  not  entered  into  the  information  system  that 
case  managers  use.  As  a  result,  case  managers  may  have  difficulty  reaching 
learners  to  confirm  program  status  and  complete  their  follow-up  assessments. 

The  Department  can  also  improve  the  reporting  functions  of  its  information 
systems  to  detect  potential  non-compliance.  Reports  could  be  generated  to 
highlight  exceptions  such  as: 

•  case  managers  not  doing  an  eligibility  assessment. 

•  follow-up  assessments  not  completed  30,  90  or  180  days  after  a  learner  has 
finished  a  program. 

•  learners  taking  unauthorized  repeat  courses. 


Implications  and  risks  if  recommendation  not  implemented 

Lack  of  integrated  information  systems  may  result  in  overpayments  of  tuition 
fees.  And  the  Department  may  miss  out  on  refunds  it  is  owed. 

3.   Workers'  Compensation  Board  (WCB)— Enforce  procedures  and 
guidelines  for  purchasing-card  program 
Recommendation 

We  recommend  that  the  Workers'  Compensation  Board  enforce  its 
procedures  and  guidelines  for  the  purchasing-card  program  by  ensuring 
that  all  purchasing-card  reports  are  appropriately  approved  and  have 
supporting  documentation. 


WCB  guidelines 
for  purchasing 
cards 


Management 
Audit  Services 
tested  purchasing- 
card  transactions 


Background 

Most  purchases  of  goods  and  services  by  the  Workers'  Compensation  Board 
(WCB)  are  made  with  purchasing  cards.  As  of  November  2007,  WCB  had 
issued  208  purchasing  cards  to  staff.  WCB  has  procedures  and  guidelines  on 
using  and  managing  purchasing  cards. 

Management  Audit  Services  (MAS)  tested  purchasing-card  transactions  to 
evaluate  compliance  with  WCB  purchasing  guidelines  and  to  assess  the 
effectiveness  of  related  processes.  MAS  gave  its  reviews  to  WCB's 
procurement  advisor  to  ensure  appropriate  follow-up  takes  place. 


Supervisors  need 
to  approve 
purchases 


Criteria:  the  standards  we  used  for  our  audit 

Employees'  supervisors  should  review  and  approve  cardholder  statements  after 
matching  all  purchases  on  the  expense  report  to  the  supporting  invoice  or  other 
documentation. 
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WCB  should 
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missing 


Prompt  follow-up 
by  WCB  missing 


WCB  should  promptly  investigate  exceptions  revealed  by  testing  and  ensure 
compliance  with  procedures  and  guidelines. 

Our  audit  findings 

We  tested  a  sample  of  purchasing  card  transactions — part  of  a  larger  sample 
MAS  tested  for  the  first  two-quarters  of  2007.  Two  of  six  samples  from  the 
MAS  report  lacked  supporting  documentation  and  one  was  not  signed  by  the 
employee's  supervisor. 

MAS  identified  these  exceptions  in  its  work,  but  WCB  had  not  followed  up  on 
them  as  of  November  2007. 


Invalid  purchases 


Implications  and  risks  if  recommendation  not  implemented 

WCB  may  record  unauthorized  or  personal  purchases  as  expenditures. 


Unqualified 
auditor's  reports 


Performance  reporting 

Financial  statements 

Our  auditor's  report  on  the  Ministry  financial  statements  for  the  year  ended 
March  31,  2008  is  unqualified. 

We  issued  an  unqualified  audit  opinion  for  the  March  31,  2008  Labour  Market 
Development  Claim. 

We  issued  an  unqualified  audit  opinion  for  the  March  31,  2007  Employability 
Assistance  for  People  with  Disabilities  Claim. 

We  issued  an  unqualified  auditor's  opinion  on  the  financial  statements  of  WCB  for 
the  year  ended  December  31,  2007.  We  also  issued  an  unqualified  auditor's  opinion 
on  the  schedule  of  administrative  charges  of  WCB  for  the  year  ended 
December  31,  2007. 


Performance  measures 
No  exceptions       vVe  found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures  in  the  Ministry's  2007-2008  Annual  Report. 

We  found  no  exceptions  when  we  completed  specified  auditing  procedures  on 
WCB's  performance  measures  in  its  accountability  framework. 
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Summary  of  our  recommendations 

The  Department  should  quantify  the  environmental  benefits  of  projects  approved 
under  the  bioenergy  initiative — see  section  1  below. 

We  recommend  that  the  Department  strengthen  its  controls  over  the  initial  reporting 
of  fuel  gas  volumes  and  monitoring  of  amendments  to  those  same  volumes — see 
page  257. 


Our  audit  findings  and  recommendations 

1.   Alberta's  Bioenergy  Programs 
Recommendation  No.  25 
We  recommend  that  the  Department  of  Energy: 

•  undertake  and  document  its  analysis  to  quantify  the  environmental 
benefits  of  potential  bioenergy  technologies  to  be  supported  in  Alberta. 

•  establish  adherence  to  the  Nine  Point  Bioenergy  Plan  as  a  criterion 
within  its  bioenergy  project  review  protocol,  and  require  grant 
applications  to  indicate  the  projected  environmental  benefits  of 
proposed  projects. 

•  prior  to  awarding  grants  in  support  of  plant  construction,  require 
successful  applicants  to  quantify — with  a  life  cycle  assessment — the 
positive  environmental  impact  relative  to  comparable  non-renewable 
energy  products. 


Bioenergy  part  of 
Province's 
emission  reduction 
strategy 


Background 

The  2002  Albertans  &  Climate  Change:  Taking  Action  Plan  and  the  2008 
Climate  Change  Strategy  identify  developing  alternate  energy  in  Alberta  as  a 
key  action  for  meeting  the  province's  emissions  reduction  targets.  Alternative 
energy  includes  wind  and  solar  power,  hydrogen,  geothermal  energy  and 
bioenergy.  Alberta's  Nine  Point  Bioenergy  Plan  and  the  Bioenergy  Policy 
Framework  guide  the  development  of  bioenergy.  The  Ministry  of  Energy 
administers  the  bioenergy  plan  and  framework. 

The  objective  of  the  $239  million  bioenergy  plan  is  to  stimulate  ethanol, 
biodiesel  and  biogas  development  in  Alberta  through  three  major  grant 
programs: 

•  Biorefining  Commercialization  and  Market  Development  Program. 

•  Bioenergy  Infrastructure  Development  Program. 

•  Renewable  Energy  Producer  Credit  Program. 
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The  policy  framework  describes  the  desired  outcomes  within  Alberta,  critical 
policy  objectives,  guiding  principles,  and  policy  decision  criteria.  The 
framework  requires  that  the  environmental  impact  of  bioenergy  projects  funded 
by  the  Ministry  be  equal  to  or  less  than  the  impact  of  existing  energy  products. 
Proponents  must  therefore  quantify  whether  there  is  an  environmental  benefit  to 
the  project. 

During  2007,  2008  and  the  first  quarter  of  fiscal  2009,  the  Department 
approved  multi-year  grants  totalling  about  $93  million  for  61  projects  under  the 
three  grant  programs.  The  objectives  of  projects  funded  by  the  two 
development  grant  programs  are  to  develop  production  facilities,  to  conduct 
studies  to  assess  market  sustainability  and  to  test  new  bioenergy  technology. 
Under  the  Producer  Credit  Program,  the  Department  provides  grants  to 
companies  who  produce  bioenergy. 

Life  cycle  Life  cycle  assessment  is  the  examination  of  the  full  environmental  impact  of  a 

product  over  its  entire  life  cycle — from  raw  material  acquisition  to 
manufacturing,  distribution,  use  and,  ultimately,  disposal.1 

Criteria:  the  standards  we  used  for  our  audit 

Projects  funded  under  bioenergy  grant  programs  should  demonstrate,  using  a 
life-cycle  assessment  approach,  that  the  full  environmental  impact  of  all  stages 
of  bioenergy  production  and  use  is  equal  to  or  less  than  the  impact  of  the  energy 
products  the  project  is  replacing. 

Our  audit  findings 

Although  the  policy  framework  requires  an  assessment  of  the  environmental 
impact,  the  grant  applications  we  reviewed  did  not  have  any  environmental- 
impact  information  and  the  criteria  for  evaluating  the  projects  did  not  include 
an  assessment  of  the  environmental  impact. 

Although  Ministry  staff  said  they  believe  the  net  environment  impacts  of  these 
programs  will  be  positive,  the  Ministry  has  not  done  any  overall  analysis  to 
indicate  that  the  alternative  fuels  generated  because  of  these  programs  will 
reduce  the  province's  greenhouse  gas  emissions. 

Implications  and  risks  if  recommendation  not  implemented 

Without  an  assessment  of  the  environmental  impact  of  these  projects,  their 
contribution  to  Alberta's  climate-change  plan  is  unknown.  The  environmental 
costs  of  some  projects  may  exceed  their  benefits. 


'  Alberta  Environment— Specified  Gas  Emitters  Regulation-Offset  Credit  Project  Guidance  document 
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2.    Strengthen  controls  to  detect  and  prevent  errors  in  reporting  royalty- 
liable  fuel-gas  volumes 
Recommendation  No.  26 

We  recommend  that  the  Department  of  Energy: 

•  strengthen  controls  to  prevent  fuel  gas  volumes  being  incorrectly 
reported  in  the  Petroleum  Registry  of  Alberta  and  to  detect  incorrect 
reporting. 

•  improve  its  detection  and  monitoring  processes  over  fuel  gas  volume 
amendments. 

Background 

After  natural  gas  is  produced,  it  is  transported  and  processed  into  marketable 
products  through  a  network  of  pipelines,  gathering  facilities,  and  gas  plants. 
Producers  are  liable  to  pay  royalties  on  either  unprocessed  gas  or  natural  gas 
by-products,  depending  on  the  point  in  the  process  when  the  gas  leaves  the 
network.  Some  of  the  gas  produced  is  used  as  fuel  for  compression,  gathering 
and  processing  within  the  network.  In  all  cases,  gas  purchased  and  used  as  fuel 
within  the  network  is  counted  as  having  left  the  network  and  the  producer 
(seller)  is  royalty  liable. 

Producers  and  facility  operators  must  account  for  gas  volumes  monthly  in  the 
Petroleum  Registry  of  Alberta  (the  Registry).  They  must  report  volumes 
produced  and  transferred  within,  and  disposed  from,  the  network.  When  facility 
operators  buy  and  use  gas  for  fuel  within  the  network,  they  must  report  it  as  a 
"purchased  receipt."  This  reported  activity  code  denotes  within  the  Registry  a 
royalty-liable  disposition  of  gas.  On  the  other  hand,  if  a  facility  operator 
receives,  from  a  producer,  gas  that  is  not  being  used  for  fuel,  it  is  reported  as  a 
"receipt,"  classifying  the  transfer  as  non-royalty  liable.  Although  the  recipient 
reports  whether  a  volume  is  fuel  gas,  the  disposer  of  the  gas  volumes  is 
responsible  for  ensuring  reported  fuel-gas  volumes  are  accurate. 

In  2007,  the  Department  found  a  case — through  its  monthly  variance  analysis 
process — where  it  appeared  that  gas  used  for  fuel  was  not  properly  recorded  in 
the  Registry.  This  prompted  the  Department  to  review  the  volumetric 
dispositions  of  gas  reported  on  the  Registry  for  fuel  use.  When  the  Department 
discovered  that  fuel-gas  volumes  could  be  recorded  inaccurately,  it  notified 
industry  through  the  November  2007  "Gas  Royalty  Information  Bulletin,"  that 
it  was  reviewing  volumetric  disposition  of  gas  reported  on  the  Registry  for  fuel. 
In  the  March  2008  "Gas  Royalty  Information  Bulletin,"  the  Department 
directed  all  producers  potentially  affected  to  take  appropriate  steps  to  ensure 
that  in-network  sales  or  transfers  of  gas  are  correctly  reported. 
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Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  have  controls  and  processes  in  place  to: 

•  ensure  that  industry's  reported  fuel-gas  volumes  are  recorded  accurately. 

•  ensure  that  all  fuel-gas  volume  amendments  are  made  completely  and 
accurately. 

•  estimate  the  royalty  impact  if  it  finds  inaccurate  reporting  by  industry. 
Our  audit  findings 

Fuel-gas  volume  reporting  controls — After  the  Department's  review  found 
that  an  operator  was  not  accurately  recording  fuel-gas  volumes,  the  Department 
manually  recalculated  royalties  that  had  not  been  charged  to  the  producers  who 
sold  fuel-gas  volumes  to  that  operator's  facilities  for  the  2003  production  year. 
It  estimated  the  royalty  underpayment  due  to  inaccurate  recording  by  this  one 
operator  at  about  $2  million  for  the  2003  production  year.  The  Department  did 
not  recalculate  the  potential  royalty  underpayments  for  the  2004  to  2007 
production  years.  Instead,  it  asked  the  operator  and  producers  involved  to 
review  their  own  reported  fuel  gas  transactions  to  determine  and  correct  any 
fuel-gas  volume  reporting  errors  up  to  the  end  of  2007. 

The  Department  performed  further  analysis  and  also  estimated  that  up  to  60 
other  operators  of  receiving  facilities  could  be  affected  because  of  inaccurate 
reporting  of  fuel-gas  volumes.  It  asked  all  operators — who  appeared  to  have 
fuel-gas  reporting  errors — to  review  and  amend  where  necessary  volumetric 
data  for  the  2003  to  2007  production  years.  The  Department  expects  operators 
to  complete  their  own  review  and  make  all  amendments  by  the  end  of  the  2008 
calendar  year.  Initially  the  Department  did  not  estimate  the  potential  royalty 
impact  of  fuel  gas  reporting  errors  until  we  asked  them  to.  Using  the 
preliminary  findings  from  their  review  of  the  2003  production  year  fuel  gas 
volume  transactions  the  Department  extrapolated  the  findings  to  the  2004-2007 
production  years.  The  Department  roughly  estimated  the  royalty  impact  for  all  5 
years  for  all  affected  operators  to  be  $25  million.  The  actual  royalty  value  of  the 
errors  could  be  significantly  different.  Because  the  Department  does  not  verify 
that  reporting  changes  are  being  made  completely  and  accurately  (discussed 
below),  the  actual  royalty  impact  from  this  issue  may  never  be  known. 

Currently  the  reporting  system  does  not  prevent  operators  from  coding  royalty- 
liable  fuel  gas  dispositions  as  non-liable  dispositions.  So,  in  addition  to 
identifying  and  correcting  errors  in  the  past  five  years  of  data  the  Department 
needs  to  find  a  way  to  prevent  or  at  least  reduce  them  in  the  future.  The 
Department  indicated  that  one  solution  may  be  to  shift  the  responsibility  of 
reporting  fuel-gas  volumes  to  the  disposer  (the  royalty-liable  party)  from  the 
recipient.  The  rationale  for  this  proposed  change  is  that  the  disposer  has  more  of 


Royalty  liable  gas 
misreported 


No  effective 
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accurately 
reported 


258 


Report  of  the  Auditor  General  of  Alberta — October  2008 


Financial  statement  and  other  assurance  audits 


Energy 


No  effective 
verification  that 
industry  finds  and 
corrects  own 
mistakes 


an  incentive  to  ensure  that  the  reporting  is  correct  than  the  recipient  because  the 
disposer  pays  interest  on  any  royalties  owing  when  reporting  errors  are  found. 

Detection  and  monitoring  of  fuel-gas  volume  amendments — As  discussed 
above  the  Department  has  asked  operators  to  perform  their  own  review  of  fuel 
gas  dispositions  and  make  corrections  where  necessary  by  the  end  of  2008.The 
Department  has  not  requested  confirmation  or  evidence  from  operators  that  they 
are  reviewing  and  amending  reported  fuel-gas  volumes  as  necessary.  The 
Department  told  us  it  plans  to  continue  following  up  this  issue.  But  it  cannot 
readily  confirm  that  amendments  in  the  Registry  are  being  made  completely  and 
accurately  because  operators  are  not  required  to  provide  explanations  or  support 
for  amendments  when  processed.  Although  the  Department  can  confirm  that 
reporting  changes  from  "receipt"  to  "purchased  receipt"  are  being  made,  it 
cannot  specifically  confirm  whether  producers  are  making  all  necessary 
changes. 


Because  of  these  findings,  we  plan  to  review  the  systems  the  Department  uses 
to  validate  all  amendments  made  within  the  Registry. 

Implications  and  risks  if  recommendation  not  implemented 

Without  effective  controls  over  the  initial  reporting  of  fuel-gas  volumes,  errors 
may  continue,  resulting  in  lost  royalties  (not  appropriately  charged  to  royalty- 
liable  production  volumes). 

Without  effective  monitoring  of  fuel-gas  amendments  that  industry  makes,  the 
Department  cannot  know  if  amendments  are  actually  being  made  or  if  they  are 
accurate. 


Unqualified 
auditor's  reports 


Performance  reporting 

Financial  statements 

Our  auditor's  reports  on  the  financial  statements  for  the  Ministry  and  the 
Department  for  the  year  ended  March  31,  2008  are  unqualified. 

Our  auditor's  reports  on  the  financial  statements  of  the  Alberta  Energy  and  Utilities 
Board  and  the  Alberta  Petroleum  Marketing  Commission  for  the  9  months  and  the 
year  ended  December  31,  2007  respectively  are  unqualified. 

Our  auditor's  reports  on  the  financial  statements  of  the  Alberta  Utilities  Commission 
and  the  Energy  Resources  Conservation  Board  for  the  3  months  ended 
March  31,  2008  are  unqualified. 
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Performance  measures 
No  exceptions        We  found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 
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Summary  of  our  recommendations 

The  Ministry  should: 

•  implement  processes  for  completing  the  financial  statements  of  the  Climate 
Change  and  Emissions  Management  Fund  (the  Fund) — see  below. 

•  prepare  the  Fund's  financial  statements  on  an  accrual  basis — see  below. 

•  improve  its  governance  of  ad  hoc  grants  received  from  the  federal 
government — see  page  262. 


Our  audit  findings  and  recommendations 

1 .    Climate-Change  and  Emissions-Management  Fund 
Recommendation  No.  27 

We  recommend  that  the  Ministry  implement  processes  to  comply  with  the 
Department  of  Treasury  Board's  deadlines  for  completing  the  financial 
statements  of  the  Climate  Change  and  Emissions  Management  Fund.  We 
also  recommend  that  the  Ministry's  management  prepare  the  Fund's 
financial  statements  on  an  accrual  basis. 

Background 

The  section  of  the  Climate  Change  and  Emissions  Management  Act  establishing 
the  Fund  came  into  force  on  April  20,  2007  and  the  Specified  Gas  Emitters 
Regulation  became  effective  on  June  27,  2007.  Under  this  regulation,  facilities 
emitting  more  than  100,000  tonnes  of  greenhouse  gases  a  year  must  reduce  their 
emissions  intensity  for  the  period  July  1  to  December  31,  2007  and  later 
compliance  periods,  according  to  the  target  limits  specified  in  the  regulation. 
Facilities  can  make  their  reductions  by  improving  their  operations,  purchasing 
Alberta-based  offsets  or  emission  performance  credits,  or  purchasing  Fund 
credits  for  $15  per  tonne. 

Our  audit  findings 

Fund  information         The  Ministry  originally  planned  to  begin  the  compliance  period  on 
not  auditable  January  1 ,  2008  but  decided  to  move-up  the  start  date  by  six  months. 

The  facilities  had  to  report  amounts  owed  for  the  2007  compliance  period  by 
March  31,  2008. 


New  Climate- 
Change  and 
Emissions- 
Management 
Fund  effective 
April  20,  2007 
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Audit  opinion  has         At  the  time  of  preparing  the  Fund  financial  statements,  the  Ministry  was  still 
scope  imi  a  ion  verifying  completeness,  accuracy  and  compliance  with  legislation  for  the 

amounts  reported  as  owing  by  the  facilities.  An  estimate  was  also  not  made  of 
the  revenue  owing  to  the  Fund  from  facilities  for  the  period  January  1  to 
March  31,  2008.  Consequently,  the  audit  opinion  on  the  Ministry's  financial 
statements  contains  a  scope  limitation  and  we  did  not  provide  an  opinion  on  the 
Fund's  financial  statements. 


Ministry  received 
S155.9M  grant 


Implications  and  risks  if  recommendation  not  implemented 

Non-compliance  with  government  directives  on  performance  reporting,  results 
in  untimely  and  incomplete  accountability  to  Albertans. 

EcoTrust  governance 
Recommendation 

We  recommend  that  the  Ministry  of  Environment  improve  its  governance 
of  ad  hoc  grants  received  from  the  federal  government. 

Background 

In  March  2007,  the  federal  government  announced  $155.9  million  EcoTrust 
funding  for  Alberta.  EcoTrust  is  to  support  provincial  projects  that  will  result  in 
real  reductions  in  greenhouse  gas  emissions  and  air  pollutants.  The  funding  for 
the  province  was  made  available  through  a  third-party  trust  deposited  with 
Alberta  Finance.  The  funding  was  transferred  to  Alberta  Environment  in 
April  2007  and  recorded  as  unearned  revenue.  The  funds  continued  to  be 
reported  as  unearned  revenue  as  at  March  31,  2008. 


Formal  process 
required  to  govern 
ad  hoc  grants 


Our  audit  findings 

The  Ministry  does  not  have  a  formal  process  for  governing  ad  hoc  grants.  It 
could  not  provide  complete  information  about  the  intended  use  of  funds.  We 
identified  a  separate  entity,  Alberta  Energy  Research  Institute  (AERI) ,  part  of 
Advanced  Education  and  Technology,  that  had  included  the  EcoTrust  grant  in 
its  2008-13  Strategic  Business  Plan.  Management  at  AERI  were  not  aware  of  a 
process  for  transferring  the  funds  from  the  Ministry. 

Implications  and  risks  if  recommendation  not  implemented 

Lack  of  processes  for  managing  and  reporting  on  the  use  of  grant  funds  could 
result  in  non-compliance  with  grant  conditions. 
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3.    Managing  for  results— changed  circumstances 

In  our  2003-2004  Annual  Report  (No.  13— page  138)  we  recommended  that  the 
Ministry  of  Environment  improve  the  process  for  developing  new  performance 
measures  and  ensure  the  measures  in  its  business  plan  assess  the  results  each 
goal  aims  to  achieve. 

We  reviewed  the  goals  and  measures  in  Budget  2008  and  concluded  that  they 
have  changed  significantly.  So  our  previous  recommendation  is  no  longer 
relevant.  Ministry  management  indicated  that  goals  are  more  directly  focused 
on  the  Ministry's  contribution  to  desired  results  and  reflect  direction  in  the 
Minister's  mandate  letter. 


Performance  reporting 

Financial  statements 

Qualified  opinion     Our  auditor's  report  on  the  Ministry's  financial  statements  is  qualified  with  a  scope 
limitation.  On  the  Department's  financial  statements  for  the  year  ended 
March  31,  2008,  our  auditor's  report  is  unqualified. 

No  exceptions       Performance  measures 

We  found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 
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Executive  Council 

Performance  reporting 

Financial  statements 

Unqualified  Our  auditor's  report  on  the  Ministry's  financial  statements  for  the  year  ended 

auditor  s  report        March  3  {  2m  ^  unqualified 

Performance  measures 
No  exceptions        yVe  found  no  exceptions  when  we  applied  specified  auditing  procedures  on  the 
performance  measures  in  the  Ministry's  2007-2008  Annual  Report. 
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Summary  of  our  recommendations 

The  Department  should: 

examine  financial  reporting  processes  and  succession  planning — see  page  268. 
develop  a  process  for  ensuring  complete  recording  of  donated  funds — see 
page  270. 

ensure  payroll  bank  reconciliations  are  promptly  prepared  and  reviewed — see 
page  271. 

develop  an  IT  control  framework — see  page  5 1 . 
review  user  access — see  page  272. 

review  use  of  spreadsheets  in  processing  taxes — see  page  273. 

Alberta  Treasury  Branches  should: 

improve  its  treasury  management  systems — see  page  109. 
improve  internal  controls  over  fair-value  calculations  of  investments  and 
derivatives1 — see  page  274. 

promptly  update  derivative  credit  limits  in  reports — see  page  276. 
improve  controls  for  capturing  non-consumer  loan-risk  ratings  in  its  banking 
system— see  page  277. 

implement  action  plans  to  resolve  internal  control  weaknesses  identified  by 
ATB's  internal  control  group — see  page  278. 

complete  criminal  record  checks  for  new  employees  before  they  start  work- 
see  page  279. 

develop  and  implement  a  securitization  policy  and  securitization  business 
rules — see  page  280. 


Alberta  Investment  Management  Corporation  should: 

•  prepare  for  internal  control  certification — see  page  282. 

•  rectify  conflicting  responsibilities  for  internal  audit — see  page  284. 

•  improve  procedures  for  valuing  real  estate  investments — see  page  285. 

•  improve  completeness  and  accuracy  of  private  equity  partnership  investments- 
see  page  287. 

•  monitor  International  Swaps  and  Derivatives  Association  agreements — see 
page  288. 

•  improve  controls  over  trading  with  approved  counterparties — see  page  290. 

•  develop  an  IT  control  framework — see  page  5 1 . 

•  improve  performance  measurement  review  processes — see  page  291. 


1  Derivatives  are  financial  instruments  whose  value  changes  in  response  to  the  changes  in  underlying  variables.  The  main 
types  of  derivatives  are  futures,  forwards,  options  and  swaps. 
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•  improve  controls  over  record  management — see  page  291. 

Alberta  Capital  Finance  Authority  should  extend  the  deadlines  for  finalizing  the 
financial  statements  and  the  audit— see  page  292. 

Alberta  Pensions  Administration  Corporation  should  develop  an  IT  control 
framework — see  page  5 1 

Alberta  Securities  Commission  should: 

•  develop  an  IT  control  framework — see  page  51 

•  clarify  its  purchase  policy — see  page  294. 


Our  audit  findings  and  recommendations 

1.    Department  of  Finance 

1.1.  Financial  reporting  processes  and  succession  planning— Investment 
Accounting  and  Reporting  Group 
Recommendation  No.  28 

We  recommend  that  the  Investment  Accounting  and  Reporting  group 
(IAR)  of  the  Department  of  Finance  and  Enterprise  improve  the  timeliness 
of  its  financial  reporting  and  assess  IAR  workloads  by: 

•  recruiting  sufficient  people  with  expertise  in  investment  accounting. 

•  ensuring  time  budgets  allow  for  increases  in  the  number  of  investment 
pools,  complexity  of  investment  transactions,  staff  absences, 
management  review  and  correction  of  errors. 

•  creating  a  management  succession  plan. 

Background 

The  Investment  Accounting  and  Reporting  (IAR)  group  of  the  Department  of 
Finance  and  Enterprise  is  responsible  for  the  financial  reporting  of  the 
investment  clients  of  Alberta  Investment  Management  Corporation  (AIMCo) , 
which  has  total  investments  under  management  of  $75  billion.  The  group 
prepares  working  papers,  financial  information  and  financial  statements  for  5 
endowment  funds,  10  pension  plans,  the  Consolidated  Cash  Investment  Trust 
Fund,  and  20  government  and  other  funds.  The  group  also  prepares  the 
quarterly  financial  statements  and  public  reports  for  the  Alberta  Heritage 
Savings  Trust  Fund  (AHSTF) . 

On  a  monthly  basis,  IAR  prepares  bank  reconciliations  and  financial  reports  for 
approximately  60  investment  pools.  On  a  quarterly  basis,  the  group  determines 
investment  write-downs,  reviews  cut-off,  makes  accruals  and  proposes 


IAR  group  focuses 
on  investment 
accounting 
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adjustments  to  the  investments  general  ledger.  They  analyse  and  report 
derivative  transactions,  combine  investments  pools  into  common  investment 
schedules  and  calculate  client's  share  of  investment  balances  and  transactions. 

IAR  provides  accounting  policy  advice  to  AIMCo,  Department  officials  and 
other  organizations.  Group  management  attends  AIMCo  meetings.  Endowment 
Fund  Policy  Committee  meetings  and  AHSTF  Standing  Committee  meetings. 

Criteria:  the  standards  we  used  for  our  audit 

For  accurate  and  timely  financial  reporting  of  investment  balances  and 
transactions,  the  IAR  group  should  ensure  that: 

•  a  sufficient  number  of  knowledgeable  professional  staff  are  available  to 
perform  the  work  on  a  timely  basis. 

•  attainable  time  budgets  are  set  for  the  completion  of  financial  reporting. 

•  time  budgets  include  provisions  for  increase  in  number  of  investment 
pools,  complexity  of  investment  transactions,  staff  absences,  management 
review  and  correction  of  errors. 

•  appropriately  trained  back-up  personnel  are  available  to  replace  key 
managers  in  the  event  of  sickness,  injury  or  resignation. 

Our  audit  findings 

Time  constraints  Timelines  for  the  audit  of  financial  statements  prepared  by  IAR  are  fixed  for  the 

entire  Government  of  Alberta  and  cannot  be  extended.  However,  the  number 
and  complexity  of  the  investment  pools,  and  total  dollars  invested  has  increased 
exponentially,  increasing  the  time  required  to  prepare  the  financial  statements 
and  supporting  working  papers.  A  vast  majority  of  work  prepared  for  audit  by 
the  IAR  group  must  be  completed  in  a  matter  of  a  few  weeks.  The  IAR  group 
has  more  work  to  do  but  the  time  allowed  has  not  changed  and  the  size  and  skill 
sets  of  the  group  have  not  increased  proportionately. 

As  a  result  of  the  departure  of  an  experienced  staff  member,  many  bank 
reconciliations  and  some  working  papers  were  provided  to  us  later  than 
planned,  resulting  in  delays  in  completion  of  our  audit  procedures.  We  observed 
that  the  senior  manager  of  the  group  and  his  staff  were  under  pressure  to  deliver 
the  working  papers,  financial  statements  and  other  reports  on  time.  They  were 
working  long  hours  on  both  weekdays  and  weekends. 

Lacks  resources  The  IAR  group  does  not  have  sufficient  depth  and  breadth  of  staff  resources  to 

complete  the  quarterly  financial  reporting  cycle  without  the  direct  involvement 
of  the  group's  senior  manager.  He  is  the  only  person  in  the  group  with  a 
complete  understanding  of  AIMCo's  investment  management  systems  and 
processes.  The  Department  of  Finance  and  Enterprise  should  engage  in  a 
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succession  plan  process  for  the  IAR  group  which  involves  hiring  more  staff  to 
reduce  workloads  and  allow  for  better  cross-training  and  review  of  work. 
Qualified  professional  accountants  would  be  the  best  candidates  for 
management  positions  within  this  highly  specialized  group. 

Implication  and  risks  if  recommendation  not  implemented 

Without  sufficient  people  with  expertise  in  investment  accounting,  and  time 
budgets  which  allow  for  increases  in  number  of  investment  pools  and 
complexity  of  investment  transactions,  the  IAR  group  would  be  unable  to  issue 
timely,  accurate  and  complete  financial  statements  for  AIMCo  clients. 

1.2  Donated  funds— Alberta  Heritage  Scholarship  Fund 
Recommendation 

We  recommend  that  the  Department  of  Finance  and  Enterprise  develop  a 
process  to  ensure  complete,  accurate  and  timely  recording  of  donations  to 
the  Alberta  Heritage  Scholarship  Fund. 

Background 

The  Alberta  Heritage  Scholarship  Fund  receives  contributions  from  other 
ministries  and  government  departments  for  specific  scholarship  programs.  In 
2007-08  a  program  within  the  Access  to  the  Future  Fund  provided  matching 
payments  for  donations  to  the  Apprenticeship  scholarships  program.  At  the  end 
of  the  year  the  Access  to  the  Future  Fund  accrued  a  liability  for  eligible 
matching  payments  to  the  Scholarship  Fund.  The  Access  to  the  Future  Fund  is 
administered  by  the  Ministry  of  Advanced  Education  and  Technology. 

Criteria:  the  standards  we  use  for  our  audit 

The  Department  of  Finance  and  Enterprise  should  have  a  process  in  place  to 
inform  the  Investment  Accounting  and  Reporting  Group  (IAR)  of  accruals 
payable  to  the  Scholarship  fund.  Donations  should  be  recorded  accurately  and 
in  the  correct  period. 

Our  audit  findings 

In  May  2008,  IAR  staff  learned  that  Advanced  Education  had  accrued  a 
donation  of  $725,575  payable  to  the  Scholarship  Fund  on  March  31,  2008.  This 
donation  had  not  been  communicated  to  IAR.  After  the  year-end  was  closed, 
the  IMAGIS  general  ledger  was  re-opened  to  record  the  amounts  receivable  and 
donation  revenue. 


No  evidence  of 
process 


We  did  not  find  evidence  of  a  process  to  ensure  scholarship  fund  donations  are 
recorded  in  a  complete,  accurate  and  timely  manner. 
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Implications  and  risks  if  recommendation  not  implemented 

The  absence  of  a  process  to  facilitate  prompt  and  accurate  recording  of 
donations  from  Advanced  Education  may  lead  to  misstatement  of  the  financial 
statements  of  the  Scholarship  Fund. 

1.3  Payroll  bank  reconciliations 
Recommendation 

We  recommend  that  the  Department  of  Finance  and  Enterprise  work  with 
its  service  provider  to  ensure  that  bank  reconciliations  for  the 
government's  payroll  disbursement  bank  account  are  promptly  prepared 
and  reviewed. 


Service  provider 
prepares  bank 
reconciliations 


Background 

The  Department's  service  provider  prepares  the  monthly  bank  reconciliation 
statement  for  the  Payroll  Disbursement  Bank  Account.  Under  the  Banking 
Operations  Agreement  with  the  service  provider,  they  are  required  to  present 
the  monthly  bank  reconciliations  to  the  Department  by  the  19lh  business  day  of 
the  following  month. 


Criteria:  the  standards  we  used  for  our  audit 

Bank  reconciliations  should  be: 

•  prepared  promptly. 

•  reviewed  and  approved  by  an  officer  independently  of  the  preparer. 


Bank 

reconciliations  not 
promptly  prepared 


Our  audit  findings 

We  selected  two  months  for  testing  the  payroll  disbursement  bank  account 
reconciliation  and  found  that: 

•  The  reconciliation  for  November  2007  was  signed  as  reviewed  and 
approved  by  the  Department  on  February  1,  2008.  Although  the  service 
provider  presented  the  bank  reconciliation  on  December  21,  2007,  they  did 
not  provide  all  the  supporting  documents  that  the  Department  needed  to 
promptly  review  the  bank  reconciliation. 

•  The  Department  obtained  the  March  2008  reconciliation  from  the  service 
provider  on  May  29,  2008.  Although  the  service  provider  prepared  the  bank 
reconciliation  on  April  25,  2008,  the  Department  did  not  promptly  follow 
up  to  obtain  a  copy  of  the  reconciliation.  By  May  29,  2008  the  Department 
had  not  obtained  the  supporting  documents  for  items  included  on  the 
reconciliation  and  had  not  finished  reviewing  the  reconciliation. 


Implications  and  risks  if  recommendation  not  implemented 

Without  the  service  provider's  timely  submission  of  payroll  bank 
reconciliations,  and  prompt  review  by  the  Department,  unexplained  differences, 
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Department  relies 
on  access  controls 


fraud  or  errors  may  go  undetected.  Misstatements  in  the  financial  statements 
may  result. 

1 .4  User  access 

Recommendation 

We  recommend  that  the  Department  of  Finance  and  Enterprise  review  all 
user  access  to  business  data  to  ensure  that  unauthorized  changes  are 
prevented  and  appropriate  incident  monitoring  exists  to  ensure  systems 
issues  are  promptly  resolved. 

Background 

The  Department  of  Finance  and  Enterprise's  computer  systems  provide  for 
security,  integrity,  confidentiality  and  availability  of  business  data.  The 
Department  relies  on  access  security  and  controls  over  user  accounts  to  ensure 
that  access  to  business  data  is  appropriately  controlled. 

In  computer  systems,  some  users  have  more  privileges  than  normal  users  have. 
These  privileged  users  can  access  business  data,  including  data  used  in 
determining  significant  amounts  in  the  financial  statements.  At  times,  some 
privileged  users  need  access  to  business  data  to  resolve  system  issues  and 
support  business  users. 


No  reviews  of  user 
access 


Criteria:  the  standards  we  used  for  our  audit 

The  Department  should: 

•  properly  control  user  access,  including  access  of  privileged  IT  users,  to 
business  data. 

•  formally  document  performance  of  control  procedures  over  user  access. 

•  ensure  that  access  to  business  data  allows  prompt  investigation  and 
resolution  of  systems  issues. 

Our  audit  findings 

We  observed  that  formal  regular  reviews  of  user  access  do  not  occur.  We  also 
observed  that  documentation  of  performance  of  control  procedures  over 
inactive  users  did  not  exist. 


Some  powerful 
users  have  access 
to  important 
spreadsheets 


In  addition,  we  examined  user  access  to  TaxMod,  a  spreadsheet  used  by  the 
Department  to  estimate  amounts  relating  to  Personal  Income  Tax,  Canada 
Health  Transfer  and  Canada  Social  Transfers,  which  are  significant  amounts  in 
the  financial  statements.  TaxMod  is  located  in  a  network  folder. 


Management  performs  several  checks  on  the  data  within  TaxMod,  and  business 
user  access  is  appropriately  restricted.  Some  IT  user  access  to  business  data  is 
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necessary  to  enable  prompt  investigation  and  resolution  of  systems  issues. 
However,  24  IT  personnel  have  access,  because  of  their  privileged  user  access, 
and  an  additional  8  generic  user  IDs.  not  identifiable  with  a  particular  person, 
also  have  access. 

Implications  and  risks  if  recommendation  not  implemented 

Without  proper  controls  over  user  access,  unauthorized  changes  to  business  data 
may  occur.  Misstatements  in  the  financial  statements  may  result. 

1 .5  Use  of  spreadsheets  in  processing  taxes 
Recommendation 

We  recommend  that  the  Department  of  Finance  and  Enterprise,  Tax  and 
Revenue  Administration,  review  the  use  of  spreadsheets  in  processing 
Insurance  Corporations  Tax.  We  also  recommend  that  the  Department 
assess  the  costs,  benefits  and  risks  of  using  spreadsheets,  and  consider 
whether  using  existing  established  computer  systems  is  more  appropriate. 

Background 

The  Department  of  Finance  and  Enterprise  has  established  business  processes 
and  computer  systems  for  the  administration,  assessment,  and  collection  of 
various  taxes  and  credits,  including  the  processing  of  taxpayer  returns. 
Established  computer  systems  have  systems-based  controls,  such  as  automated 
validation  edits,  transaction  logs,  change-management  procedures,  and  audit 
trails. 

Criteria:  the  standards  we  used  for  our  audit 

Business  processes  and  computer  systems  should  ensure  data  integrity  and 
security.  The  level  of  data  integrity  and  security  controls  should  be 
commensurate  with  the  risk  and  significance  of  the  taxes  involved. 

Our  audit  findings 

The  Department  collected  approximately  $260  million  of  Insurance 
Corporations  Tax  for  the  year  ended  March  31 ,  2008.  The  Tax  is  based  on  the 
premiums  written  by  insurance  companies  operating  in  Alberta.  About  300 
companies  file  an  annual  return. 

The  Department  has  internal  control  procedures,  including  manual  procedures, 
to  assess  the  amount  of  Insurance  Corporations  Tax  collected.  Insurance 
Corporations  Tax,  in  part,  is  processed  in  a  spreadsheet.  Spreadsheets  lack  the 
data  integrity  and  security  controls  over  transaction  processing  that  the 
established  computer  systems  have. 


Taxes  processed  in 

established 

systems 


Insurance  tax 
processed  outside 
established 
systems 
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Implications  and  risks  if  recommendation  not  implemented 

Without  proper  controls,  errors  may  not  be  prevented,  or  detected  and  corrected. 
Misstatements  in  tax  amounts  in  the  financial  statements  may  result.  As  well, 
incorrect  assessments  may  occur,  resulting  in  loss  of  tax  revenue. 

1.6  Estimating  corporate  income  tax  refunds — implemented 

Need  to  improve  rn  our  2006-2007  Annual  Report  (vol.  1,  page  146),  we  recommended  that  the 

Department  improve  its  method  for  estimating  corporate  income  tax  refunds 
payable  and  adjust  forecasted  corporate  income  tax  revenue  to  reflect  actual 
results  as  soon  as  the  information  is  available. 


Estimation  method        Tn  2007-2008,  the  Department  changed  its  method  of  estimating  corporate 


changed 


income  tax  refunds  payable,  which  is  now  based  on  prior  years'  refunds  paid  on 
assessments.  We  agree  with  the  change  in  method.  The  Department  has 
recorded  corporate  income  tax  revenue  and  corporate  income  tax  refunds 
payable  in  accordance  with  the  new  method. 


Some  journal 
entries  not 
reviewed 


Reviews  occur 


1.7  Journal  entries — implemented 

In  our  2006-2007  Annual  Report  (vol.  2,  pg  86)  we  recommended  that  the 
Ministry  ensure  that  journal  entries  are  properly  approved  and  that  the 
incompatible  functions  of  preparation  and  approval  are  properly  segregated. 

In  2007-2008,  management  undertook  a  review  of  journal  entries  posted  within 
the  Department  to  ensure  that  entries  are  properly  approved.  Management  has 
identified  controls  that  would  detect  incorrect  or  fraudulent  journal  entries.  We 
are  satisfied  that  at  least  two  individuals  are  to  see  each  journal  entry,  and  that 
the  risk  of  an  error  has  been  reduced. 


2.   Alberta  Treasury  Branches 

2.1  Internal  controls  over  fair-value  calculations  of  investments  and 
derivatives 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  improve  controls  over 
fair- value  calculations  of  its  investments  and  derivatives  by: 

•  implementing  a  peer-review-and-approval  process  for  inputs  and 
assumptions  used  in  the  valuation  models. 

•  using  a  benchmarking  process — as  an  alternative  process  for 
derivatives — to  assess  reasonability  of  its  calculated  fair  values. 

•  documenting  the  results  of  this  work  consistently. 
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Background 

ATB  calculates  the  fair  value  of  its  derivatives  and  investments  using  market 
valuation  techniques  with  input  of  several  variables  such  as  interest  rates, 
volatility  factors  and  cash  flows.  Management  also  makes  assumptions  in 
certain  valuations.  Staff  manually  enter  data  into  different  systems  or 
spreadsheets  to  calculate  the  fair  values  of  derivatives  and  investments  for 
financial  reporting. 

Criteria:  the  standards  we  used  for  our  audit 

ATB  should  ensure  that: 

•  an  appropriate  level  of  peer  review  is  performed  over  the  data  inputs  used 
in  calculating  fair  values.  Alternatively,  for  derivatives,  ATB  should 
compare  its  calculated  fair  value  to  the  fair  values  reported  by 
counterparties2  as  a  benchmark  to  assess  reasonableness. 

•  documentation  and  approval  of  the  valuation  results,  support  for  the 
variables  and  assumptions  used  in  the  valuation,  and  documentation  to 
show  the  peer  review  of  the  data  inputs  is  maintained.  This  formal  process 
should  occur  periodically,  likely  quarterly,  to  match  the  financial-reporting 
process. 

Our  audit  findings 

For  both  derivatives  and  investments,  there  is  no  peer  review  of  the  manual  data 
input  into  the  fair  value  calculations  for  accuracy.  And  we  could  not  find 
evidence  that  the  valuation  results  were  approved.  For  both  derivatives  and 
investments,  only  one  person  is  involved  in  the  calculation  process. 

For  derivatives,  ATB  told  us  that  it  compares  its  calculated  fair  values  to  the 
counterparty's  fair  values  as  a  check  for  reasonableness  and  this  was  a 
compensating  control.  However,  there  was  no  evidence  to  show  that  this 
compensating  control  regularly  occurred  or  that  the  results  of  the  comparisons 
were  analyzed  and  approved.  Counterparty  valuations  are  not  always  received 
promptly  each  quarter  and  some  valuations  are  never  received  from  certain 
counterparties. 

At  March  31,  2007,  fair- value  differences  for  certain  option  contracts  with  one 
counterparty  were  more  than  $4  million.  A  fair-value  difference  is  the 
difference  between  ATB  calculated  fair-value  and  the  counterparty's  fair-value. 
We  identified  this  valuation  error  by  comparing  the  two  fair-values.  This  error 


2  A  counterparty  is  a  legal  term  which  means  the  party  to  a  contract.  In  this  chapter,  it  is  a  counterparty  to  a  derivative 
contract. 


Valuation 
techniques  used 


Data  not  reviewed 
and  results  are  not 
approved 


Errors  have 
occurred 
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was  corrected  for  financial  reporting,  but  ATB's  internal  control  systems  did 
not  find  it. 


Implications  and  risks  if  recommendation  not  implemented 

Without  strong  controls  for  determining  the  fair  value  of  derivatives  and 
investments,  the  risk  of  misstating  financial  results  is  considerable. 


2.2  Derivative  credit  limits  in  report 
Recommendation 

We  recommend  that  Alberta  Treasury  Branches  promptly  update  the 
derivative  credit  limits  disclosed  on  the  daily  derivative  credit  exposure 
report. 


Client  derivative 
line  of  business 
started  in  2006-07 


Credit  risk 
exposure  exists 


Background 

ATB  started  its  client-derivative  line  of  business  in  2006-07.  Client  derivatives 
are  derivative  contracts  that  ATB  sells  to  its  customers  and  include  oil,  natural 
gas,  and  foreign  currency  derivatives. 

ATB  does  not  bear  market  risk  from  client-derivative  transactions  because  it 
offsets  all  transactions  in  the  market  with  a  back-to-back  transaction  with  other 
financial-institution  counterparties.  At  March  31,  2008,  the  fair  value  of  ATB's 
client-derivative  assets  was  $28.2  million,  offset  by  liabilities  of  $28.0  million. 

But  ATB  does  bear  credit  risk  related  to  its  client-derivative  program.  ATB 
prepares  a  daily  credit-exposure  report  to  monitor  credit  exposure  on  client 
derivative  deals.  ATB  compares  client  derivative  credit  exposure  to  the  client's 
derivative  credit  limit.  If  the  credit  exposure  is  close  to  or  exceeds  the  client's 
derivative  credit  limit,  ATB  must  act  to  limit  or  reduce  its  credit  exposure  on 
that  client. 


Criteria:  the  standards  we  used  for  our  audit 

The  daily  derivative  credit  exposure  report  should  report  current  client 
derivative  credit  limits. 


Credit  limits  did 
not  agree 


Our  audit  findings 

We  examined  two  client-credit  limits  on  the  daily  derivative  credit-exposure 
report  and  in  both  cases  the  client's  credit  limit  differed  from  the  authorized 
credit  limit. 
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Implications  and  risks  if  recommendation  not  implemented 

The  monitoring  of  ATB's  client  derivative  credit  risk  exposure  will  be 
ineffective  if  inaccurate  credit  limits  are  reported  on  the  daily  derivative  credit 
exposure  report. 

2.3  Controls  for  capturing  non-consumer  loan-risk  ratings  in  its  banking 
system 

Recommendation 

We  recommend  that  Alberta  Treasury  Branches  improve  controls  for 
capturing  non-consumer  loan-risk  ratings  in  its  banking  system. 

Background 

ATB  determines  and  assigns  a  risk  rating  to  each  non-consumer  loan.  Non- 
consumer  loans  are  commercial,  small  business  and  agriculture  loans.  ATB 
determines  or  updates  a  risk  rating  when: 

•  a  new  loan  application  is  completed. 

•  borrower  requests  new  funds. 

•  it  completes  the  annual  loan  review. 

•  a  material  or  adverse  change  in  borrower  circumstances  occurs. 

In  these  cases,  ATB  re-calculates  the  risk  rating  and  transfers  the  revised  risk 
rating  to  the  loan  application.  The  loan  application  then  goes  through  the 
required  ATB  approvals.  The  ATB  lender  then  sends  a  request  to  ATB's 
Central  Services  to  update  the  risk  rating  in  the  banking  system. 

ATB  uses  loan-risk  rating  information  from  its  banking  system  to: 

•  track  industry  and  market  trends  as  part  of  management's  oversight  of  the 
loan  portfolio. 

•  calculate  the  general  loan-loss  allowance. 

•  review  loan  pricing  for  borrowers  and  ensure  it  matches  credit  risk. 

Accurate  data  on  credit  risk  in  the  loan  portfolio  allows  management  to 
understand  credit  risk  in  the  loan  portfolio.  The  general  loan  loss  allowance  is  a 
significant  estimate  within  ATB's  financial  statements. 

Criteria:  the  standard  we  used  for  our  audit 

ATB  should  accurately  and  promptly  capture  its  borrower's  non-consumer 
loan-risk  ratings  in  the  banking  system. 


Non-consumer 
loans  arc  risk  rated 
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Our  audit  findings 

We  identified  5  instances  in  the  25  loans  we  examined  at  ATB's  Corporate 
Financial  Services  in  which  the  correct  loan-risk  rating  on  the  loan  application 
did  not  match  the  loan-risk  rating  recorded  within  the  banking  system. 

Implications  and  risks  if  recommendation  not  implemented 

ATB's  monitoring  of  credit  risk  in  its  loan  portfolio  is  less  effective  and  the 
calculation  of  its  general  loan  loss  allowance  less  accurate  if  loan-risk  rating 
data  is  incorrect. 


Risk  ratings  did 
not  match 


2.4  Action  plans  to  resolve  internal  control  weaknesses  identified  by  ATB's 
internal  control  group 
Recommendation  No.  29 

We  recommend  that  Alberta  Treasury  Branches  validate  and  approve 
business  processes  and  internal  control  documentation  developed  by  its 
internal  control  group  and  implement  plans  to  resolve  identified  internal 
control  weaknesses. 


Internal  control 
group  documents 
controls 


Background 

ATB  has  delegated  two  tasks  to  its  internal  control  group: 

•  documenting  business  processes  and  internal  controls  for  its  significant 
financial-reporting  processes. 

•  identifying  internal  control  deficiencies  and  risks  that  may  prevent  ATB 
from  meeting  business  objectives. 


Business-process  owners  are  individuals  responsible  for  ensuring  that  internal 
controls  for  business  processes,  that  operate  under  their  oversight,  work 
effectively.  Owners  review  and  approve  the  resulting  business-process  and 
internal-control  documentation.  They  are  also  responsible  to  fix  any  identified 
internal-control  weaknesses. 


Criteria:  the  standards  we  used  for  our  audit 

ATB  should  ensure  that  business-process  owners: 

•  review  and  agree  with  business-process  and  internal-control 
documentation. 

•  develop  and  implement  an  action  plan  to  resolve  identified  internal-control 

weaknesses. 


Our  audit  findings 

ATB  management  has  not  set  reasonable  timeframes  for  business-process 

timeframes  not  set 

owners  to: 
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not  Finalized 


•  review  internal  control  group's  business  process  documentation  and 
identified  internal  control  deficiencies. 

•  complete  remediation  strategies. 

In  April  2007,  we  obtained  a  draft  report  from  the  internal  control  group  for  one 
business  process.  The  draft  report  had  been  given  to  the  business-process  owner 
and  included  numerous  internal  control  weaknesses.  As  of  April  2008,  the 
business-process  owner  had  not  agreed  with  the  draft  report  and  had  not 
developed  an  action  plan  to  mitigate  the  internal  control  deficiencies.  One  other 
draft  report  on  business-process  documentation  provided  to  the  business- 
process  owner  in  September  2007  was  not  finalized  as  of  April  2008.  We  have 
not  looked  at  or  assessed  the  timely  completion  of  all  draft  internal  control 
group  reports  shared  with  business-process  owners. 

Implications  and  risks  if  recommendation  not  implemented 

ATB  is  not  deriving  the  full  benefit  of  its  internal  control  group  if  reports  are 
not  finalized  and  internal  control  weaknesses  are  not  promptly  solved.  If  ATB 
management  has  to  certify  the  effectiveness  of  ATB's  internal  controls  in  the 
future,  it  will  be  better  able  to  do  so  if  business  process  and  internal  control 
documentation  is  finalized  and  internal  control  weaknesses  are  promptly  fixed. 

2.5  Criminal-record  checks 
Recommendation  No.  30 

We  recommend  that  Alberta  Treasury  Branches  improve  its  hiring 
processes  to  ensure  that  criminal-record  checks  are  completed  before 
people  start  working  for  it. 


Business  rules 
require  reference 
checks 


Background 

ATB  has  a  business  rule  that  requires  all  prospective  employees  to  undergo  a 
criminal-record  check.  The  rule  does  not  explicitly  state  that  this  check  is 
required  before  an  employee  starts  working  with  ATB.  As  a  result,  employees 
can  start  working  before  their  criminal-record  check  is  completed  and  the 
results  reviewed. 


Criminal  record 
checks  are  critical 


As  a  financial  institution,  ATB  is  responsible  for  much  personal  and  corporate 
information,  including  bank  accounts,  credit  cards,  and  social  insurance 
numbers.  Customers  trust  ATB  to  ensure  this  information  is  secure  and  off- 
limits  to  criminals,  such  as  identity  thieves,  who  could  use  this  information 
maliciously.  ATB  employees  in  certain  positions  also  have  access  to  cash  and 
negotiable  instruments. 
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A  person's  past  can  often  predict  how  they  will  act  in  the  future  and  criminal- 
record  checks  are  a  strong  preventative  control. 

Criteria:  the  standards  we  used  for  our  audit 

ATB  should  complete  criminal-record  checks  on  prospective  employees  before 
it  hires  them. 

Our  audit  findings 

Our  testing  of  15  employees  found  1 1  cases  where  ATB  did  not  do  a  criminal- 
record  check  before  the  employee  started  work  at  ATB.  The  time  between  when 
the  employee  started  and  when  ATB  finished  the  criminal-record  check  ranged 
from  2  to  57  days.  The  average  was  21  days.  These  employees  worked 
throughout  ATB,  not  just  in  a  particular  area.  In  one  case,  a  rehire  of  a  former 
employee,  no  criminal-record  check  was  done. 

The  roles  of  these  employees  were  diverse  and  included  a  senior  team  leader  in 
central  administration,  a  loan-service  clerk  in  retail  loans  processing,  and  5 
customer-service  representatives.  These  positions  have  access  to  confidential 
information;  some  of  them  have  access  to  cash  in  the  branches.  They  are  not 
low-risk  positions  without  opportunity;  rather  they  have  enough  responsibility 
that  someone  could  commit  fraud  or  obtain  confidential  customer  information. 

It  takes  approximately  two  days  to  complete  a  criminal-record  check.  ATB 
should  have  enough  time  to  complete  a  check  before  a  person  starts  work. 

Implications  and  risks  if  recommendation  not  implemented 

ATB  is  subject  to  increased  risk  of  theft,  fraud  and  loss  of  confidential 
information  if  it  does  not  complete  criminal  record  checks  before  an  employee 
starts.  ATB  also  risks  its  reputation  if  an  employee  commits  a  high-profile  fraud 
and  ATB  did  not  check  the  background  of  the  employee. 

2.6  Securitization  policy  and  business  rules 
Recommendation  No.  31 

We  recommend  that  Alberta  Treasury  Branches  develop  and  implement  a 
securitization  policy  and  securitization  business  rules. 

Background 

ATB  now  participates  in  the  mortgage-securitization  program  that  Canada 
Housing  and  Mortgage  Corporation  (CMHC)  offers  to  financial  institutions. 
ATB  securitized  approximately  $250  million  in  CMHC-insured  mortgages 
between  March  and  June  2008.  ATB  started  its  securitization  program  to  help 


Criminal  record 
checks  not  always 
completed  prior  to 
start  date 


ATB  securitized 
$250  million  of  its 
mortgages 
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fund  its  planned  asset  growth  by  improving  its  liquidity  and  diversifying  its 
funding  base. 

Criteria:  the  standards  we  used  for  our  audit 

Management  should  develop  and  implement  an  appropriate  securitization 
policy  and  business  rules  that  help  ATB  achieve  its  objectives. 

ATB  should  ensure  the  policy  and  business  rules  cover  the  following: 

•  objectives  of  the  securitization  program. 

•  risks  and  approach  to  risk  management. 

•  roles  and  responsibilities. 

•  securitization  activities  allowed. 

•  accounting  policies. 

•  key  assumptions  used  in  accounting  for  securitization  activities. 

•  compliance  with  CMHC  program  guidelines. 

•  reporting  requirements. 

•  performance-reporting  metrics. 

•  internal  controls. 

Our  audit  findings 

ATB  completed  a  $250  million  securitization  transaction  without  having  a 
comprehensive  Board-approved  securitization  policy  or  securitization  business 
rules  in  place. 

Implication  and  risks 

ATB  may  not  manage  its  securitization  risks  appropriately  or  achieve  its 
objectives  of  diversifying  its  funding  base  and  improving  liquidity  if 
management  does  not  develop  and  implement  a  comprehensive  securitization 
policy  and  business  rules. 

3.   Alberta  Investment  Management  Corporation  (AIMCo) 

On  January  1,  2008,  the  investment  operations  of  the  Department  of  Finance 
and  Enterprise,  previously,  Alberta  Investment  Management  (AIM)  were 
transferred  to  Alberta  Investment  Management  Corporation  (AIMCo).  AIMCo 
is  a  new  crown  corporation  responsible  to  the  Minister  of  Finance  and 
Enterprise. 

AIMCo  manages  investments  with  a  market  value  of  about  $75  billion  which 
includes  the  portfolios  of  large  Alberta  pension  funds,  the  Alberta  Heritage 
Savings  Trust  Fund,  Alberta  endowment  funds,  Government  funds,  the 
Consolidated  Cash  Investment  Trust  Fund  and  investments  of  other  Alberta 
government  funds  and  entities,  including  the  Workers'  Compensation  Board. 
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We  audited  the  investments  managed  by  AIM  before  January  1 ,  2008  and  by 
AIMCo  after  that.  Our  work  was  done  centrally  at  the  pooled-fund  level  and 
included  assessing  the  design  and  operating  effectiveness  of  internal  controls 
over  the  administration  of  investments.  We  reviewed  each  major  control 
process  and  performed  walkthroughs  to  improve  our  understanding  and  to 
identify  opportunities  for  improvement.  We  used  substantive  audit  procedures 
to  test  manual  control  systems  that  accrue  investment  income,  record 
investment  management  expenses  and  value  investments. 

We  have  identified  the  following  areas  for  improvement  in  administering 
pooled  fund  investments.  Overall,  AIMCo  needs  to  become  more  control 
conscious,  to  focus  senior  management  attention  on  internal  control  and  to  work 
to  obtain  formal  internal  control  certification. 

3.1  Internal  control  certification 
Recommendation  No.  32 

We  recommend  that  Alberta  Investment  Management  Corporation 
introduce  a  process  to  prepare  for  internal  control  certification  by: 

•  ensuring  that  its  strategic  plan  includes  internal  control  certification. 

•  developing  a  top-down,  risk-based  process  for  internal  control  design. 

•  selecting  an  appropriate  internal  control  risk-assessment  framework. 

•  considering  sub-certification  processes,  with  direct  reports  to  the  Chief 
Executive  Officer  and  Chief  Financial  Officer  providing  formal 
certification  on  their  areas  of  responsibility. 

•  ensuring  that  management  compensation  systems  incorporate  the 
requirement  for  good  internal  control. 

•  using  a  phased  approach  to  assess  the  design  and  operating 
effectiveness  of  internal  controls. 

Background 

An  assessment  of  internal  control  can  take  many  forms.  Auditors  can  provide  a 
CICA  Section  5970  report;  management  can  commission  a  Sarbanes  Oxley  404 
or  Bill  1983  internal  control  review;  an  organization  can  provide  full  senior 
executive  certification  of  internal  control  over  financial  reporting.  Alberta 
Investment  Management  Corporation  (AIMCo)  is  publicly  accountable  to  its 
investors,  who  may  soon  ask  it  to  provide  third-party  assurance  on  the  quality 
of  its  internal  control. 


We  tested  internal 
controls 
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3  In  the  United  States,  Section  404  of  the  Sarbanes-Oxley  Act  of  2002  (SOX  404)  requires  each  annual  report  of  a  public 
company  to  include  a  report  by  management  on  the  company's  internal  control  over  financial  reporting.  In  Canada,  an 
Ontario  legislative  bill,  Bill  198,  provides  equivalent  legislation.  It  is  commonly  known  as  the  "Canadian  Sarbanes  Oxley" 

Act  or  CSOX. 
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Internal  control  is  defined  as  the  processes  established  by  management  to 
provide  reasonable  assurance  about  achievement  of  the  organization's 
objectives  for  operations,  reporting  and  compliance.  When  Chief  Executive 
Officers  (CEO)  and  Chief  Financial  Officers  (CFO)  make  internal  control 
processes  a  top  priority,  their  direct  reports  will  also  make  quality  internal 
control  a  top  priority. 

A  well-designed  internal  control  system  provides  reasonable  assurance  that 
client  investments  are  safeguarded  and  that  accurate  and  reliable  investment 
transactions  and  performance  measures  are  reported  to  investors  promptly. 
Management  should  select  an  appropriate  control  framework,  document  its 
approach  to  assessing  risk  and  appropriate  control,  and  include  some  level  of 
testing. 

Many  organizations  have  established  sub-certification  processes  with  direct 
reports  to  the  CEO  and  CFO  providing  formal  certifications  on  the  effectiveness 
of  internal  controls  for  their  areas  of  responsibility.  Processes  for  certifying  the 
design  and  operating  effectiveness  of  internal  controls  should  follow  a  phased 
approach,  including  reviewing  risks,  assessing  the  control  environment, 
reviewing  relevant  control  information,  identifying  relevant  control  systems, 
assessing  other  entity  controls  for  all  business  processes,  assessing  findings,  and 
forming  conclusions. 

Criteria:  the  standards  we  used  for  our  audits 

AIMCo's  strategic  plan  should  include  obtaining  internal  control  certification. 

AIMCo  should  use  a  top-down  risk-based  approach  to  develop  processes  for 
assessing  the  design  and  operating  effectiveness  of  internal  controls  and  base 
them  on  a  recognized  internal  control  framework. 

The  CEO  and  CFO  should  lead  the  process,  which  should  be  integrated  with 
management  compensation  and  accountability  structures. 

AIMCo  should  use  a  phased  approach. 

Our  audit  findings 

AIMCo's  2008-2009  strategic  plan  does  not  include  obtaining  internal  control 
certification.  For  the  past  year,  the  internal  audit  and  compliance  (IACO)  group 
has  been  leading  a  process  of  documenting,  evaluating  and  re-engineering 
AIMCo's  internal  control  processes  using  a  Sarbanes-Oxley  Section  404 
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(SOX  404)  framework4.  It  was  selected  by  AIMCo  as  it  is  the  most  commonly 
used  framework.  This  work  was  done  to  understand,  document  and  improve  the 
internal  controls  at  AIMCo  and  was  not  specifically  targeted  at  obtaining 
internal  control  certification. 

The  CEO  and  Chief  Operating  Officer,  although  involved,  have  not  taken  an 
active  role  in  the  process.  They  and  AIMCo  managers  have  largely  delegated 
assessment  of  the  design,  operating  effectiveness  and  re-engineering  of  internal 
control  processes  to  the  Chief  IACO  officer.  The  AIMCo  management  group  is 
not  using  sub-certification  of  internal  processes  under  their  supervision. 

The  management  bonus  structure  is  based  on  investment  performance  and  does 
not  require  that  managers  work  to  improve  the  internal  control  environment  in 
their  departments.  Management  attention  is  not  focused  on  internal  controls. 
Two-thirds  of  our  prior  year  recommendations  for  internal  control  improvement 
have  not  been  implemented. 

Implications  and  risks  if  recommendation  not  implemented 

Weak  internal  control  processes  at  AIMCo  may  not  be  detected  and  re- 
engineered,  and  it  may  not  be  able  to  provide  internal  control  certification  if 
requested  to  do  so  by  investors.  Management  may  receive  bonuses  even  though 
the  internal  control  processes  in  their  departments  are  inadequate.  AIMCo  risks 
fraud,  error  and  investment  losses. 

3.2  Conflicting  responsibilities  for  internal  audit 
Recommendation 

We  recommend  that  Alberta  Investment  Management  Corporation  rectify 
the  conflicting  job  responsibilities  of  its  Chief  Internal  Audit  and 
Compliance  Officer. 

Background 

The  Internal  Audit  and  Compliance  (IACO)  group  at  AIMCo  performs  critical 
functions.  The  chief  of  the  group  is  the  head  of  the  internal  audit  group,  head  of 
the  compliance  group  and  member  of  the  AIMCo  executive  and  audit 
committees.  The  chief  has  to  implement  external  and  internal  audit 
recommendations  and  lead  the  development  of  the  internal  control  framework. 

Many  of  the  responsibilities  listed  above  are  normally  those  of  a  Chief 
Financial  Officer  (CFO).  External  and  internal  auditor  recommendations  are 


1  SOX  404  requires  the  development  of  an  internal  control  framework  for  the  purpose  of  fraud  risk  mitigation  and  the 

protection  of  shareholders. 
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usually  dealt  with  by  the  CFO  who  works  with  operational  management  to 
ensure  that  recommendations  are  implemented.  Internal  audit  does  not  typically 
implement  its  own  recommendations,  due  to  the  clear  conflict  of  interest. 

Criteria:  the  standards  we  used  for  our  audits 

AIMCo  should  have  clearly  defined  roles  and  responsibilities  for  the  CFO, 
Internal  Auditor,  and  Compliance  Officer.  This  segregation  of  duties  should 
ensure  that  no  single  person  is  responsible  for  testing  compliance  with  internal 
control  processes,  making  internal  control  recommendations,  developing  new 
internal  control  processes,  working  with  auditors  to  implement  internal  control 
recommendations,  and  reporting  on  the  implementation  of  the  revised 
processes. 

Our  audit  findings 

The  Chief  IACO  Officer  performs  many  conflicting  job  functions — including 
implementing  and  reporting  on  the  implementation  of  his  own 
recommendations.  AIMCo  senior  management  takes  a  secondary  role  in 
implementing  internal  and  external  auditor  recommendations  by  delegating  this 
responsibility  to  the  Chief  IACO  Officer.  The  CFO  role  could  assume  many  of 
the  responsibilities  that  IACO  now  performs. 

Implications  and  risks  if  recommendation  not  implemented 

Conflicting  roles  for  the  AIMCo  Chief  IACO  Officer  nullify  the  effectiveness 
of  both  the  internal  audit  and  compliance  functions  and  may  increase  the  risk  of 
undetected  error  and  fraud. 
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3.3  Procedures  for  valuing  real  estate  investments 
Recommendation 

We  recommend  that  Alberta  Investment  Management  Corporation 
improve  its  procedures  for  valuing  real  estate  investments  by: 

•  developing  a  detailed  accounting  policy  which  considers  contingent 
liabilities  such  as  development  and  incentive  fees. 

•  segregating  the  valuation  of  real  estate  investments  from  the  portfolio 
management  role. 

•  developing  procedures  to  reconcile  the  fair  value  and  cost  of  real  estate 
investments  in  the  investments  general  ledger  to  the  partner  accounts 
in  the  audited  financial  statements  of  the  real  estate  holding 
companies. 


Background 

$5  billion  in  real  AIMCo  manages  real  estate  investments  with  a  fair  value  of  about  $5  billion, 

es  ate  investmen  s         These  real  estate  investments  are  in  holding  companies  and  may  be  fully  or 
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jointly  owned.  Properties  under  development  may  be  subject  to  development 
agreements.  Agreements  with  co-investors  may  include  incentive  or 
performance  fees  to  be  paid  if  certain  real  estate  values  are  achieved. 

The  accounting  policy  for  valuing  real  estate  investments  states  that  the  fair 
value  of  real  estate  investments  is  reported  at  the  most  recent  appraised  value, 
net  of  any  liabilities  against  the  real  property.  There  is  no  specific  definition  of 
what  a  liability  against  real  property  is. 

The  current  valuation  is  performed  by  the  AIMCo  real  estate  portfolio 
management  group.  The  portfolio  managers  obtain  annual  third-party  appraisals 
for  all  properties.  Capital  expenditure,  development  and  incentive  agreements 
for  the  properties  are  reviewed.  The  appraised  value  may  be  reduced  by  future 
capital  expenditures,  cost  of  potential  sales,  contingent  incentive  fees, 
promotion  or  development  fees  and  fair  value  adjustments  for  mortgage  debt. 
The  Valuation  and  Fund  accounting  group  uses  the  calculations  of  the  real 
estate  portfolio  management  group  to  arrive  at  the  final  fair  value  recorded  in 
the  investments  general  ledger. 

Holding  company  financial  statements  and  budgets  are  prepared  by  the 
appointed  building  asset  managers  who  are  also  responsible  for  managing  the 
overall  operation  of  the  real  estate  property.  Audited  financial  statements  of  the 
real  estate  holding  companies  are  obtained  within  six  months  after  year  end. 

Criteria:  the  standards  we  used  for  our  audits 

Adjustments  to  property  appraisals  should  comply  with  a  detailed  valuation 
policy  that  considers  market  value  of  mortgages,  capital  expenditure 
agreements,  development  agreements,  incentive  agreements,  and  other 
contingent  liabilities. 

There  should  be  segregation  of  duties  between  the  portfolio  management  group 
and  investment  administration  group  so  that  managers  who  are  paid  based  on 
performance  of  the  real  estate  investment  pool  do  not  also  prepare  the  pool 
valuation. 

The  fair  value  and  cost  of  real  estate  investments  in  the  investments  general 
ledger  should  be  reconciled  to  the  partner  accounts  in  the  audited  financial 
statements  of  the  real  estate  holding  companies  to  ensure  that  all  audit 
adjustments  are  reflected  in  the  general  ledger  accounts. 
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Our  audit  findings 

The  manager  of  the  real  estate  group  prepared  the  valuations  for  the  pool.  The 
appraised  values  for  1 1  properties  were  adjusted  down  for  contingent  liabilities 
totalling  $121  million.  These  contingent  liabilities  included  future  year's 
projected  capital  expenditures,  development  fees,  incentive  fees,  promotion  fees 
and  costs  of  future  sales.  Documentation  supplied  by  the  real  estate  portfolio 
manager  did  not  provide  appropriate  audit  evidence  to  support  $41  million  of 
these  adjustments. 

The  accounting  policy  for  real  estate  investments  did  not  consider  contingent 
liabilities  which  included  capital  expenditure  agreements,  development 
agreements  and  incentive  agreements. 

Real  estate  portfolio  managers  received  bonuses  which  were  based  on  the  fair 
value  returns  from  real  estate  investments,  derived  from  pool  valuations. 

We  were  unable  to  find  evidence  of  a  process  to  reconcile  the  cost  and  fair 
value  of  the  real  estate  holding  companies  in  the  investments  general  ledger  to 
the  partner  accounts  in  the  audited  financial  statements  of  the  holding 
companies. 

Implications  and  risks  if  recommendation  not  implemented 

If  the  real  estate  group  assesses  real  estate  fair  values — without  an  independent 
review  by  the  investment  administration  group — AIMCo  risks  errors,  misstated 
transactions,  inappropriate  compensation  and  reporting  of  real  estate  gains  and 
losses  in  inappropriate  periods. 

Lack  of  reconciliation  to  audited  values  could  lead  to  errors  and  misstated 
transactions. 

3.4  Ensuring  completeness  and  accuracy  of  private  equity  partnership 
investments — recommendation  repeated 
Recommendation  No.  33 

We  again  recommend  that  Alberta  Investment  Management  Corporation 
reconcile  its  investments  in  private  equity  partnerships  to  the  audited 
partnership  financial  statements. 

Background 

In  our  2006-2007  Annual  Report  (Vol.  2,  page  92),  we  recommended  that 
AIMCo  reconcile  its  investments  in  private  equity  partnerships  to  the  audited 
partnership  financial  statements.  AIMCo  manages  1 1  private  equity  pools  held 
through  limited  partnerships  in  which  the  Crown  holds  a  direct  interest  or  an 
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indirect  interest  through  a  Crown  Corporation.  These  partnerships  are  in 
Canada,  the  United  States  and  elsewhere.  Holding  companies'  financial 
statements  are  externally  audited  and  made  available  to  AIMCo  within  six 
months  after  their  year  end. 

Criteria:  the  standards  we  used  for  our  audit 

The  partnership  interest  recorded  in  the  investments  general  ledger  should  be 
reconciled  to  the  audited  partnership  financial  statements  annually.  The  general 
ledger  should  be  adjusted  for  differences. 

Our  audit  findings 

To  reconcile  private  equity  pools,  AIMCo  completed: 

•  financial  statement  reconciliations  and  adjustments  for  the  Timberland  pool 
up  to  December  31,  2007. 

•  financial  statement  reconciliations  for  the  FP05  and  GP07  private  equity 
pools  as  of  September  30,  2007  but  did  not  make  any  adjustments. 

But  it  did  not  prepare  any  reconciliations  for  the  remaining  nine  private  equity 
pools.  The  Timberland  pool  is  a  separate  pool,  outside  of  the  private  equity 
pools. 

Implications  and  risks  if  recommendations  not  implemented 

Private  equity  investment  costs,  fair  values  and  income  may  be  inaccurately 
reported  in  the  investments  general  ledger  resulting  in  incorrect  investment 
returns. 

3.5  International  Swaps  and  Derivatives  Association  Agreements 
Recommendation  No.  34 

We  recommend  that  Alberta  Investment  Management  Corporation 
regularly  review  its  International  Swaps  and  Derivatives  Association 
agreements  to  ensure  that  they  protect  it  from  the  risk  of  default  by  its 
counterparties. 

We  also  recommend  that  the  Corporation  document  the  reasons  for  any 
changes  to  the  standard  form  of  the  agreement. 

Background 

AIMCo  has  documented  its  derivative  policy  in  a  compliance  manual.  The 
policy  allows  derivative  (swap)  deals  only  with  approved  counterparties  who 
have  good  credit  ratings,  A+  and  above.  Counterparties  are  approved  by  the 
Derivative  Risk  Management  Committee. 
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AIMCo  complies  with  investment  industry  requirements  and  ensures  that  both 
parties  sign  an  International  Swaps  and  Derivatives  Association  (ISDA)3 
agreement. 

AIMCo 's  policy  also  requires  all  approved  counterparties  with  a  credit  rating  of 
AA-/Aa3  and  below  to  sign  a  Material  Adverse  Change  (MAC)  clause  in  the 
ISDA  agreement.  The  MAC  clause  is  an  indemnity  agreement  that  gives 
AIMCo  the  option  to  terminate  the  deal  or  to  transfer  it  to  a  second  counterparty 
if  the  original  counterparty's  credit  rating  is  downgraded  below  A-/A3. 

Criteria:  the  standards  we  used  for  our  audit 

Due  diligence  requires  AIMCo  to  have  a  documented  process  to  review  its 
counterparty  agreements  regularly.  AIMCo  should  regularly  review  the  ISDA 
agreements  and  their  supporting  schedules,  including  MAC  clauses,  for 
adequacy. 

If  any  counterparty  signs  a  non-standard  ISDA  agreement,  AIMCo  should 
document  the  reasons  for  any  deviation  from  the  standard  agreement  and  review 
it  regularly  to  ensure  that  the  form  of  the  agreement  continues  to  be  appropriate. 


Our  audit  findings 

Full  agreements  two  counterparties  signed  partial  and  not  full  MAC  clauses.  Their  credit  ratings 

notsiSned  then  dropped  to  AA-/Aa3. 

AIMCo 's  policy  requires  that  all  approved  counterparties  with  credit  ratings  of 
AA-/Aa3  and  below  to  sign  a  MAC  clause  in  their  ISDA  agreement.  The 
counterparties  had  signed  partial  MAC  clauses  with  a  termination  provision. 
The  full  MAC  clause  includes  an  additional  termination  provision  and  an  option 
to  transfer  the  transaction  to  a  second  counterparty.  The  original  counterparty 
must  make  reasonable  efforts  to  facilitate  the  transfer.  Without  the  full  MAC 
clause,  AIMCo  could  terminate  the  transaction,  but  may  not  be  able  to  transfer 
it  to  a  second  counterparty. 

The  contract  files  had  no  documentation  explaining  the  use  of  partial  MAC 
clauses  in  the  ISDA  agreements  with  these  two  counterparties.  Although  no 
immediate  threat  of  default  by  the  two  counterparties  was  apparent,  their 
deteriorating  credit  ratings  make  this  risk  more  likely. 


5  ISDA  is  a  global  financial  trade  association  which  represents  participants  in  the  privately  negotiated  derivatives  industry. 
ISDA  has  created  a  standardized  contract  (the  ISDA  Master  Agreement)  to  enter  into  derivatives  transactions.  The  ISDA 
Master  Agreement  contains  general  terms  and  conditions  but  does  not  include  details  of  specific  derivatives  transactions.  It 
a  pre-printed  form  with  a  manually  produced  schedule  in  which  the  parties  are  required  to  select  options  and  may  modify 
sections  of  the  Master  Agreement  if  desired. 
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We  also  found  no  evidence  that  AIMCo  regularly  reviews  their  ISDA 
agreements. 

Implications  and  risks  if  recommendation  not  implemented 

AIMCo  may  be  unnecessarily  exposed  to  losses  from  counterparty  failure. 

3.6  Controls  over  trading  with  approved  counterparties 
Recommendation 

We  recommend  that  Alberta  Investment  Management  Corporation 
improve  its  processes  for  setting  up  and  maintaining  approved 
counterparties  in  the  swap  database  system. 

Background 

AIMCo 's  counterparty  trading  policy  states  that  it  can  engage  in  derivative 
transactions  with  counterparties  that  were  approved  by  the  Derivative  Risk 
Management  Committee  and  that  have  signed  an  International  Swap  and 
Derivative  Association  (ISDA)  agreement.  The  ISDA  agreement  must  include  a 
Material  Adverse  Change  (MAC)  clause  if  the  counterparty  has  a  credit  rating 
below  AA-/Aa3.  If  the  counterparty  credit  rating  is  below  this  level  and  a  MAC 
clause  has  not  been  obtained,  no  trading  can  be  done  with  that  counterparty. 

AIMCo  uses  a  swap  database  system  in  which  approved  counterparties  are 
maintained  on  a  master  file.  When  investment  traders  want  to  initiate  a  swap 
transaction,  they  begin  by  selecting  an  approved  counterparty  from  a  drop-down 
menu  in  the  swap  database  system. 

Criteria:  the  standards  we  used  for  our  audit 

Only  approved  counterparties  with  appropriate  indemnity  provisions  should  be 
set  up  in  the  swap  database. 

Our  audit  findings 

A  counterparty  was  included  in  the  counterparty  trading  list  in  the  swap 
database  system  but  it  had  not  signed  an  ISDA  agreement  with  AIMCo. 
Another  counterparty  with  a  credit  rating  of  Aa3,  had  signed  an  ISDA 
agreement  but  not  a  MAC  clause.  This  counterparty  showed  as  suspended  from 
trading,  but  was  not  removed  from  the  counterparty  trading  list  in  the  database. 
No  derivative  transactions  had  been  made  with  either  counterparty. 

Implications  and  risks  if  recommendation  not  implemented 

The  lack  of  a  strong  system  to  remove  unauthorized  counterparties  or  those 
with  poor  credit  ratings  from  the  swap  database  system  may  allow  traders  to 
unknowingly  enter  into  inappropriate  derivative  transactions.  This  may  expose 
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AIMCo  investors  to  potential  losses  from  business  failures  of  the 
counterparties. 

3.7  Performance  measurement  review  processes 
Recommendation 

We  recommend  that  Alberta  Investment  Management  Corporation 
improve  its  processes  for  management  review  and  approval  of  investment 
performance  information  by  implementing  a  review  and  approval  process 
for  investment  performance  reports. 

Background 

The  performance  measurement  group  prepares  the  performance  issue  and 
performance  unitization  reports.  The  reports  provide  investment  performance 
information  that  is  the  basis  of  performance  reporting  to  portfolio  managers  and 
ultimately  to  investors.  These  reports  are  an  important  control  to  ensure  that 
investment  performance  is  being  reported  completely  and  accurately. 

Criteria:  the  standards  we  used  for  our  audit 

A  senior  member  of  the  performance  measurement  group  should  review 
investment  performance  information  reports  and  document  the  review  by 
signing  or  initialing  the  reports. 

Our  audit  findings 

We  found  no  evidence  of  review  by  the  manager  of  the  performance 
measurement  group  for  all  performance  issue  reports  we  tested.  We  also  found 
no  evidence  that  the  group  manager  reviewed  the  performance  unitization  report 
for  three  out  of  six  reports  tested. 

Implications  and  risks  if  recommendation  not  implemented 

Lack  of  proper  management  review  and  approval  of  performance  measurement 
reports  indicates  that  preventive  internal  controls  may  not  be  functioning  and 
could  result  in  unidentified  errors  and  inaccurate  investment  returns. 

3.8  Controls  over  records  management 
Recommendation 

We  recommend  that  Alberta  Investment  Management  Corporation 
maintain,  file  and  be  able  to  retrieve  all  hard-copy  records  supporting 
completed  investment  transactions. 

Background 

Hard  copy  records  Many  documents  supporting  the  initiation,  verification  and  review  of  completed 
filed  in  vault  investment  transactions  are  kept  only  in  hard-copy,  or  paper  form.  These 
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documents  are  stored  in  the  vault  and  are  filed  by  AIMCo  record  management 
staff. 

Criteria:  the  standards  we  used  for  our  audit 

All  hard  copy  records  supporting  completed  investment  transactions  should  be 
appropriately  maintained  and  stored  to  ensure  easy  retrieval  for  legal  and  audit 
purposes. 

Our  audit  findings 

Investment  administration  division  staff  members  could  not  locate  the  following 
reports  selected  for  audit  testing: 

•  Outstanding  Fails  and  Reports  of  Adjustments  dated  between 
May  10  to  23,  2007  and  August  1 1  to  26,  2007.  Outstanding  Fails  reports 
identify  cash  not  paid  or  received  for  the  day.  Reports  of  Adjustments  list 
all  the  adjustments  recorded  in  the  investments  general  ledger  by  Trade 
Support  for  the  specific  day. 

•  Summary  Statistics  and  Detailed  Unmatched  Transactions  reports  for 
specific  dates  from  May  29  to  October  16,  2007.  Summary  Statistics 
reports  list  the  number  of  trades  settled.  Detailed  Unmatched  Transaction 
reports  identify  differences  in  amounts  settled  to  what  was  recorded  in  the 
investments  general  ledger. 

AIMCo  staff  searched  and  found  a  small  number  of  the  reports  were  misfiled. 
They  did  not  find  the  remaining  reports. 

Implications  and  risks  if  recommendation  not  implemented 

Missing  documents  could  contain  sensitive  information  that  could  expose 
AIMCo  to  legal  risks.  Transactions  and  events  with  no  supporting 
documentation  may  indicate  that  fraudulent  transactions  have  been  recorded. 

4.   Alberta  Capital  Finance  Authority 

Deadlines  to  finalize  financial  statements,  finish  the  audit,  and  schedule 

the  Audit  Committee  meeting 

Recommendation 

We  recommend  that  management  and  the  Audit  Committee  of  Alberta 
Capital  Finance  Authority  extend  the  deadlines  for: 

•  finalizing  the  financial  statements. 

•  completing  the  financial  statement  audit. 

•  scheduling  of  the  Audit  Committee  meeting  to  approve  the 
December  31,  2008  financial  statements. 


Several  reports  not 
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Background 

The  new  financial  instruments  accounting  standard  has  introduced  complexities 
to  the  financial  statement  closing  and  reporting  process.  The  adoption  of 
International  Financial  Reporting  Standards6  in  2011  will  add  more 
complexities.  The  Audit  Committee  meeting  to  approve  the  December  31.  2007 
financial  statements  was  scheduled  for  6  weeks  after  the  year  end  date.  But 
before  the  Audit  Committee  meets,  ACFA  staff  have  to  close  the  accounting 
records,  calculate  all  fair  values  for  financial  instruments,  and  prepare  draft 
financial  statements  and  notes  including  all  material  disclosures  required  by 
Canadian  accounting  standards. 


Criteria:  the  standards  we  used  for  our  audit 

ACFA  management  should: 

•  have  enough  time  to  prepare  the  financial  statements  in  accordance  with 
Canadian  accounting  standards.  Management  should  ensure  that  the 
amounts  reported  in  the  financial  statements  are  accurate  and  that  all 
material  disclosures  required  by  Canadian  accounting  standards,  including 
disclosures  required  by  new  standards,  are  included. 

•  make  the  draft  financial  statements  and  notes  available  to  the  auditors  at  the 
start  of  the  audit  and  ensure  that  they  contain  few  or  no  adjustments  or 
omissions  of  required  disclosures. 


Insufficient  time 
to  prepare 
financial 
statements 


Our  audit  findings 

Management  had  only  the  same  time  to  prepare  the  financial  statements  and 
complete  the  disclosures  as  it  had  last  year — even  though  the  process  for 
closing  and  reporting  on  the  financial  statements  became  more  complex. 


The  draft  financial  statements  and  notes  provided  to  the  auditors  at  the  start  of 
the  audit  required  adjustment  and  additional  disclosures. 


Implications  and  risks  if  recommendations  not  implemented 

The  risk  of  misstatement  -  due  to  errors  in  applying  accounting  standards  or 
doing  calculations,  or  due  to  missing  material  disclosures  -  increases  if 
management  does  not  have  enough  time  to  properly  prepare  and  review 
financial  statements. 


6  Canada  is  adopting  International  Financial  Accounting  Standards  (IFRS)  in  201 1.  Many  of  the  IFRS  are  different  than 
current  Canadian  accounting  standards.  ACFA  will  need  to  thoroughly  understand  IFRS  and  decide  if  their  current 
accounting  policies  and  practices  will  have  to  change.  The  financial  statements  for  the  year  ended  December  31.  2010  will 
have  to  be  restated  to  conform  to  IFRS  standards. 
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5.   Alberta  Securities  Commission 
5.1  Purchase  policy 
Recommendation 

We  recommend  that  the  Alberta  Securities  Commission  clarify  its 
Purchase  Policy  to  ensure  compliance  with  the  Trade,  Investment  and 
Labour  Mobility  Agreement. 

Background 

The  Trade,  Investment  and  Labour  Mobility  Agreement  (TILMA)  is  an 
agreement  struck  between  the  provinces  of  Alberta  and  British  Columbia  to 
reduce  barriers  to  trade,  investment,  and  labour  in  both  provinces.  Effective 
April  1,  2007,  the  Alberta  Securities  Commission  (ASC)  was  required  to 
comply  with  the  provisions  of  TILMA  when  it  was  seeking  to  procure  goods 
greater  than  $10,000,  services  greater  than  $75,000,  and  construction  greater 
than  $100,000.  As  part  of  the  compliance,  the  ASC  is  required  to  undergo  a 
public  bidding  process  and  the  ASC  must  sign  a  contract  with  the  successful 
bidder.  Effective  April  1,  2009,  non-compliance  can  result  in  a  fine  of  up  to 
$5  million. 

ASC's  purchase  policy  is  intended  to  comply  with  TILMA.  The  purchase 
policy  also  sets  out  signing  limits  for  different  levels  of  management. 

Criteria:  the  standards  we  used  for  our  audit 

The  ASC's  purchase  policy  should  be  clearly  communicated  to  staff  and  roles 
and  responsibilities  should  be  assigned  to  specific  departments  to  ensure  that 
TILMA  is  adhered  to. 

Our  audit  findings 

The  ASC's  purchase  policy  contains  contradictions  and  is  difficult  to 
understand.  For  instance,  in  Section  1  of  the  purchase  policy,  it  states  that  all 
purchases  of  services  greater  than  $25,000  require  both  a  purchase  order  and  a 
contract.  However,  in  Section  2.2,  it  states  that  a  service  costing  greater  than 
$25,000  can  be  processed  either  through  a  contract  or  a  purchase  order.  We  also 
noted  that  in  practice,  the  ASC  will  use  either  a  purchase  order  or  a  contract  but 
not  both  control  documents. 

Another  contradiction  was  noted  in  Section  3  of  the  purchase  policy.  In  that 
section,  it  states  that  all  purchases  of  goods  greater  than  $25,000  require  a 
contract.  However,  all  goods  greater  than  $10,000  are  required  to  undergo  a 
public  bidding  process  and  the  results  of  that  process  are  to  be  documented  by  a 
written  contract  to  ensure  compliance  with  TILMA. 
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While  there  are  exemptions  from  TILMA  for  certain  goods  and  services,  the 
exemptions  were  not  completely  defined  within  the  purchase  policy.  Upon 
discussion  with  ASC  staff,  we  were  informed  that  the  ASC  wanted  its  General 
Counsel  to  determine  if  a  good  or  service  was  exempt  rather  than  to  leave  that 
determination  with  individual  department  managers.  However,  it  states  in 
Section  2.3  that  staff  should  consult  internal  accounting  staff  in  determining 
exemptions  pertaining  to  purchase  of  goods  or  services. 

Implications  and  risks  if  recommendation  not  implemented 

Unclear  or  absent  instructions  increase  the  risk  that  the  ASC  will  not  comply 
with  TILMA  or  internal  control  objectives. 

5.2  Hosting  and  working  sessions  policies— implemented 

In  our  2004-2005  Annual  Report  (page  198),  we  recommended  the  ASC  update 
policies  and  improve  controls  over  hosting  and  working  session  expenses.  In 
our  2005-2006  Annual  Report  (vol.  2.  page  105),  we  noted  that  ASC  had 
completed  a  draft  copy  of  its  hosting  and  working  sessions  policy.  In  our  2006- 
2007  Annual  Report  (vol.  2,  page  102),  we  noted  the  hosting  and  working 
sessions  policies  had  been  approved. 

In  our  expense  claim  testing  this  year,  no  deviations  were  noted. 


Performance  reporting 

Financial  statements 

We  issued  unqualified  audit  opinions  on  the  financial  statements  of  the  Ministry 
and  the  Department  for  the  year  ended  March  31,  2008. 

We  issued  unqualified  audit  opinions  for  the  year  ended  March  31,  2008  on  the 
following  entities  that  are  consolidated  within  the  Ministry: 

•  Alberta  Cancer  Prevention  Legacy  Fund 

•  Alberta  Heritage  Foundation  for  Medical  Research  Endowment  Fund 

•  Alberta  Heritage  Savings  Trust  Fund 

•  Alberta  Heritage  Scholarship  Fund 

•  Alberta  Heritage  Science  and  Engineering  Research  Endowment  Fund 

•  Alberta  Investment  Management  Corporation7 

•  Alberta  Risk  Management  Fund 

•  Alberta  Securities  Commission 

•  N.A.  Properties  (1994)  Ltd. 


7  For  three  months  ended  March  31,  2008. 
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•  Provincial  Judges  and  Masters  in  Chambers  Reserve  Fund 

•  Supplementary  Retirement  Plan  Reserve  Fund 

We  issued  unqualified  audit  opinions  for  the  year  ended  December  31,  2007  on 

the  following  entities  that  are  consolidated  within  the  Ministry: 

•  Alberta  Capital  Finance  Authority 

•  Alberta  Local  Authorities  Pension  Plan  Corp. 

•  Alberta  Pensions  Administration  Corporation 

•  Credit  Union  Deposit  Guarantee  Corporation 

We  issued  an  unqualified  audit  opinion  for  Gainers  Inc.  for  the  year  ended 
September  30,  2007. 

We  issued  unqualified  auditor's  opinions  for  all  of  the  financial  statement  audits 
we  completed  for  Alberta  Treasury  Branches  (ATB)  and  its  subsidiaries  (ATB 
Investment  Services  Inc.,  ATB  Investment  Management  Inc.,  ATB  Securities 
Inc.,  ATB  Insurance  Advisors  Inc.)  for  the  year  ended  March  31,  2008.  We 
issued  an  unqualified  audit  opinion  on  the  financial  statements  of  ATB' s 
Management  Pension  Plan  for  the  year  ended  December  31,  2007. 

We  issued  unqualified  review  engagement  reports  on  ATB's  quarterly  financial 
statements. 


Alberta  Treasury 
Branches*** 


A  public  accounting  firm  performed  compliance  audits  of  ATB's  three 
subsidiaries  (ATB  Investment  Services  Inc.,  ATB  Investment  Management  Inc., 
and  ATB  Securities  Inc.)  and  reported  directly  to  the  applicable  regulatory 
bodies.  We  reviewed  the  results  of  these  audits: 

•  Mutual  Fund  Dealers  Association  of  Canada's  Financial  Questionnaire  and 
Report  as  at  March  31,  2008. 

•  Investment  Dealers  Association  of  Canada's  Joint  Regulatory  Financial 
Questionnaire  and  Report  as  at  March  31,  2008. 

•  Compliance  with  applicable  sections  of  National  Instrument  8 1  - 1 02  as 
required  by  the  Alberta  Securities  Commission  for  the  year  ended 
March  31,  2008. 


Entities  not 
consolidated 
within  the 
Ministry 


We  issued  unqualified  audit  opinions  on  the  financial  statements  of  the 
following  entities  for  the  year  ended  March  31,  2008  that  are  not  consolidated 
within  the  Ministry: 

•  ARCA  Investments  Inc. 

•  Consolidated  Cash  Investment  Trust  Fund 

•  Provincial  Judges  and  Masters  in  Chambers  (Registered)  Pension  Plan 
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We  issued  unqualified  audit  opinions  on  the  financial  statements  of  the 
following  entities  for  the  year  ended  December  31.  2007  that  are  not 
consolidated  within  the  Ministry: 

•  Local  Authorities  Pension  Plan 

•  Management  Employees  Pension  Plan 

•  Public  Service  Management  (Closed  Membership)  Pension  Plan 

•  Public  Service  Pension  Plan 

•  Special  Forces  Pension  Plan 

•  Supplementary  Retirement  Plan  for  Public  Service  Managers 

Other  reviews  We  examined  the  financial  statements,  management  letters,  and  audit  files  for 

the  year  ended  December  31,  2007  for  Alberta  Insurance  Council,  a  Crown- 
controlled  corporation  consolidated  with  the  Ministry.  A  public  accounting  firm 
audits  the  Council. 

We  provided  interim  review  reports  on  the  Alberta  Heritage  Savings  Trust 
Fund's  quarterly  financial  statements  to  the  Minister  of  Finance.  The  reports 
say  that  we  are  not  aware  of  any  material  changes  that  are  needed  for  these 
financial  statements  to  meet  Canadian  generally  accepted  accounting  principles. 

Performance  measures 
No  exceptions  vVe  found  no  exceptions  when  we  completed  our  specified  auditing  procedures 

on  the  Ministry's  performance  measures. 
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Health  and  Wellness 

Summary  of  our  recommendations 

To  improve  delivery  of  mental  health  services  in  accordance  with  the  Provincial 
Mental  Health  Plan,  the  Ministry  needs  to  improve  its  systems  for  delivering  mental 
health  services  to  clients  by  developing  standards  and  eliminating  gaps  in  services- 
see  page  162. 

The  Department  should: 

•  complete  a  comprehensive  risk  assessment  and  develop  a  risk  based  audit  plan 
for  its  compliance-monitoring  activities — see  page  300. 

•  improve  controls  for  health  facility  infrastructure  grants — see  page  301 . 

•  define  roles  and  responsibilities  and  update  policies  and  procedures  for 
Province  Wide  Services — see  page  303 

Alberta  Health  Services — Calgary  Health  Region  should  improve: 

•  its  information  technology  change  management  controls — see  page  306. 

•  its  information  technology  user  access  management  controls — see  page  307. 

Alberta  Health  Services — Capital  Health  should  improve: 

•  its  information  technology  security  controls — see  page  308 

•  its  information  technology  change  management  controls — see  page  309. 

Alberta  Health  Services — Peace  Country  Health  should: 

•  improve  its  policies  and  processes  for  employee  expense  claims  and  corporate 
credit  cards — see  page  311. 

•  implement  a  sole-sourcing  contracting  policy — see  page  312. 

•  improve  its  information  technology  user  access  controls — see  page  313 

The  Health  Quality  Council  of  Alberta  should: 

•  improve  its  process  for  conducting  investigations  into  patient  safety  and  health 
service  quality  matters — see  page  317. 

•  provide  guidance  on  use  of  legal  assistance  when  conducting  investigations- 
see  page  319 
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Our  audit  findings  and  recommendations 

1 .   Compliance  monitoring  activities 
Recommendation  No.  35 

We  recommend  that  the  Department  of  Health  and  Wellness  complete  a 
comprehensive  risk  assessment  and  develop  a  risk  based  plan  to  improve 
the  effectiveness  of  its  compliance-monitoring  activities. 


Monitors 
physician  billings 
and  health-care 
insurance  plan 
activities 


Background 

Historically,  the  Compliance  Assurance  Unit  (the  Unit)  monitored  compliance 
of  physician  billings  and  health-care  insurance  plan  activities  with  policies  and 
legislation.  The  Unit  has  also  been  assigned  responsibility  for  monitoring 
compliance  with  standards  for  continuing  care  and  infection  prevention  and 
control. 


Criteria:  the  standards  we  used  for  our  audit 

The  Unit  should: 

•  complete  a  comprehensive  risk  assessment  that  guides  its  compliance- 
monitoring  activities. 

•  develop  a  plan  to  monitor  compliance  with  policies  and  legislation  based 
on  the  risks  identified. 

•  monitor  and  report  on  the  results  achieved. 

•  assess  the  effectiveness  of  compliance-monitoring  activities. 


No  risk  assessment 
for  activities 
monitored 


Our  audit  findings 

The  Unit  has  not  completed  a  risk  assessment.  It  has  a  draft  risk  assessment  for 
physician  billings  and  health  care  insurance,  but  it  does  not  identify  and  assess 
all  significant  risks  related  to  these  activities.  As  the  Unit's  mandate  grows  to 
include  monitoring  compliance  with  standards  for  continuing  care,  and  infection 
prevention  and  control,  the  risk  assessment  will  also  need  to  grow  to  cover  these 
activities. 


Compliance 
monitoring  plan  is 
general 


The  Unit  has  a  draft  audit  plan  for  2007-2008,  but  has  not  finalized  it.  This  plan 
identifies  the  compliance-monitoring  activities  for  physician  billings  and  health 
care  insurance,  but  it  is  general  and  does  not  link  back  to  the  risk  assessment.  It 
does  not  identify  the  objectives  for  the  activities,  sampling  methodology,  or 
approach.  Nor  does  it  include  measures  to  assess  the  effectiveness  of 
compliance-monitoring  activities.  Once  the  Unit  develops  the  risk  based  plan, 
the  Unit  needs  to  periodically  report  progress  towards  achieving  it. 
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Effectiveness  of 
monitoring 
activities  not 
assessed 


The  Unit  has  also  not  assessed  the  effectiveness  of  its  current  compliance- 
monitoring  activities.  Our  review  of  its  procedures  for  assessing  physician 
billings  found  the  following: 


Acceptable 
response  rate  for 
provider 

verification  letters 
not  defined 


Recoveries  from 
weekly  claim 
sampling  low 


Criteria  to  identify 
unusual  billings 


Provider  verification  letters — The  Unit  has  not  defined  what  an  acceptable 
response  rate  is  and  does  not  follow  up  on  non-responses.  The  Unit  verifies 
physician  billings  by  mailing  3000  provider-verification  letters  to  randomly 
selected  patients  each  month.  The  response  rate  for  these  letters  was  63% 
between  April  and  December  2007.  Without  defining  an  acceptable  response 
rate,  it  is  difficult  to  determine  if  the  procedure  is  effective. 

Weekly  claims  sampling — The  recoveries  from  this  process  are  low  ($3,800 
between  April  and  November  2007).  The  Unit  selects  a  random  sample  of  175 
to  225  physician  claims  processed  in  the  previous  week.  It  reviews  each  claim 
to  verify  that  it  was  paid  correctly  under  the  Schedule  of  Medical  Benefits  and 
the  Schedule  of  Allied  Health  Services,  Rules,  Regulations,  and  Registration 
requirements. 

Billing  reviews — Between  April  and  December  2007,  the  Unit  recovered 
overpayments  of  $773,930  through  this  process.  The  Unit  relies  on  complaints 
and  usage  rates  to  trigger  billing  reviews.  It  developed  a  list  of  criteria  to 
identify  potential  areas  for  review  in  May  2007  but  is  still  testing  them. 


Unit  may  monitor 
the  wrong  areas 


Implications  and  risks  if  recommendation  not  implemented 

Without  a  risk-assessment  process,  audit  plan,  and  mechanisms  to  assess 
effectiveness  of  activities,  the  Unit  may  monitor  the  wrong  areas  and  miss  the 
right  ones — mitigating  low  risks  and  failing  to  mitigate  high  risks.  It  may  also 
waste  resources. 


2.    Infrastructure  funding  for  health  facilities 
Recommendation 

We  recommend  that  the  Department  of  Health  and  Wellness  improve 
controls  over  infrastructure  grants  for  health  facilities  by  implementing: 

•  agreements  with  grant  recipients  that  clearly  outline  terms  and 
conditions,  roles  and  responsibilities  and  reporting  requirements; 

•  a  process  to  obtain  periodic  reporting  on  project  status. 
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Budget 
responsibility 
transferred  to 
Alberta  Health  and 
Wellness  in  2006 


Background 

In  2006,  budget  responsibility  for  the  Health  Facilities  Infrastructure  Program 
transferred  from  the  Department  of  Infrastructure  (Infrastructure)  to  the 
Department  of  Health  and  Wellness  (the  Department).  At  that  time,  the 
Department  and  Infrastructure  signed  a  Memorandum  of  Understanding  (MOU) 
stating  that: 

•  The  Department  and  Infrastructure  will  jointly  sign  project  approval 
submissions  and  recommend  funding  within  the  Government  of  Alberta. 

•  The  Department  will  develop  policies  and  procedures  related  to  planning, 
approval  and  funding  of  health  capital  projects  and  programs.  It  will  also 
report  capital  expenditures  in  its  financial  statements. 

•  Infrastructure  will  implement  and  manage  approved  projects,  including 
developing  policies,  processes  and  procedures.  Infrastructure  will  also 
monitor  cash-flow  requirements  for  approved  capital  projects. 


Between  April  1,  2006  and  December  31,  2007,  the  Department  disbursed 
$1,083  billion  to  health  authorities  in  infrastructure  funding  for  health 
facilities. 


Criteria:  the  standards  we  used  for  our  audit 

The  Department  should: 

•  sign  agreements  with  grant  recipients  before  giving  them  grant  money. 

•  use  grant  agreements  to  clearly  outline  terms  and  conditions,  roles  and 
responsibilities,  and  reporting  requirements. 

•  implement  policies  and  procedures  that  define  the  approval,  payment  and 
monitoring  processes  for  capital  grants. 

•  document  and  communicate  the  periodic  reporting  it  requires  from 
Infrastructure. 


No  grant 
agreements  for 
more  than 
$1  billion  in 
capital  funding 
disbursed 


Our  audit  findings 

Grant  agreements— although  the  Department  disbursed  more  than  $  1  billion 
in  infrastructure  funding  by  December  31,  2007,  it  did  not  have  signed  grant 
agreements  for  any  of  this  funding.  For  all  grant  funding  approved  up  to 
December  2007,  a  funding  letter  was  signed  by  the  Ministers  of  Infrastructure 
and  Health  and  Wellness  and  sent  to  the  grant  recipient.  The  letter  told  grant 
recipients  that  their  capital  project  and  funding  had  been  approved.  But  these 
funding  letters  do  not  identify  the  terms  and  conditions,  roles  and 
responsibilities,  or  reporting  requirements  for  the  funding.  The  Department  has 
drafted  a  standard  grant  agreement  for  infrastructure  funding— but  has  not 
finalized  or  used  it. 
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Draft  policies  and 
procedures  not 
finalized  or 
implemented 


Reporting  on 
project  status  not 
defined 


Policies  and  procedures — the  Department  has  a  grant  policy  that  defines  the 
policies  and  processes  for  authorizing,  paying,  monitoring,  and  evaluating 
grants.  The  policy  requires  signed  grant  agreements  for  grants  in  excess  of 
$15,000.  It  applies  to  all  grants  not  specifically  excluded.  But  management  said 
the  grant  policy  does  not  apply  to  infrastructure  funding  for  health  facilities, 
explaining  that  the  policy  has  not  been  updated  since  the  program  was 
transferred  to  the  Department.  The  Department  has  drafted  policies  and 
procedures  for  infrastructure  grants  but  has  not  finalized  or  implemented  them. 

Reporting  on  projects — after  a  capital  project  is  approved,  the  Department 
relies  on  Infrastructure  to  manage  it.  The  MOU  requires  Infrastructure  to  inform 
the  Department  about  project  status  and  provide  information  as  requested  or 
required.  The  Department  has  not  defined  the  periodic  reporting  that  it  requires 
from  Infrastructure  to  stay  informed  of  project  status.  While  the  Department  has 
access  to  Infrastructure's  project-reporting  system,  this  system  has  only 
financial  information  for  a  project.  The  Department  and  Infrastructure  meet 
informally,  with  each  other  and  funding  recipients,  but  the  Department  does  not 
receive  any  formal  reporting  from  Infrastructure  on  project  status. 

Implications  and  risks  if  recommendation  not  implemented 

Without  policies,  procedures,  and  signed  grant  agreements  for  infrastructure 
funding  for  health  facilities,  both  the  Department  and  grant  recipients  are 
uncertain  about  roles  and  responsibilities,  terms  and  conditions,  and  reporting 
requirements. 

Without  proper  reporting  on  projects,  the  Department  cannot  be  fully  aware  of 
project  status  or  problems.  In  addition,  the  Department  may  not  get  the 
information  it  needs  to  allow  it  to  rely  on  Infrastructure's  work.  Without  this 
information,  the  Department  will  not  be  able  to  ensure  accountability  for  the 
funding  disbursed. 

Province  Wide  Services 
Recommendation  No.  36 

We  recommend  that  the  Department  of  Health  and  Wellness: 

•  define  the  role  and  the  responsibilities  of  the  Province  Wide  Services 
Advisory  Committee. 

•  update  the  Province  Wide  Services  Funding  Procedures  and 
Definitions  Manual  and  follow  it. 
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2008 


Background 

Specialized,  The  Department  of  Health  and  Wellness  (the  Department)  provides  funding— 

coninlex  or  Hitjli 

cost  services;  through  Province  Wide  Services  (PWS)— for  services  that  are  specialized, 

$594  million  for  complex,  or  high  cost.  The  majority  of  PWS  funding  goes  to  the  Calgary  Health 

PWS  funding  in  Region  and  Capital  Health.  The  objective  of  PWS  funding  is  to  pay  for  a 

narrow  band  of  important  services  that,  because  of  their  high  costs,  complexity, 
and  relatively  low  service  volumes,  can  be  effectively  provided  at  only  one  or 
two  sites  in  the  province.  The  Department's  budget  for  PWS  has  grown  from 
$303  million  in  2001  to  $594  million  in  2008. 

In  our  2002-2003  Annual  Report  (pages  154-157),  we  made  three 
recommendations  for  PWS.  We  recommended  the  Department: 

•  clarify  the  mandate  of  the  province  wide  services  working  group. 

•  review  changes  to  the  list  of  qualifying  PWS  services  resulting  from 
methodology  changes. 

•  define  what  pre-  and  post-transplant  services  quality  for  PWS  funding  and 
determine  their  costs. 


PWS  advisory 
committee  not  in 
place  from  2004  to 
2008 


Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  have  clearly  defined  terms  of  reference  for  the  PWS 
Advisory  Committee  and  the  Committee  should  follow  them. 

The  Department  should  have  documented  policies  and  procedures  for  PWS 
funding.  The  policies  and  procedures  should  define  the  processes  required  to  be 
followed  when  methodology  changes  occur. 

Our  audit  findings 

The  Department  established  the  PWS  Working  Group  in  2002  to  advise  it  on 
services  that  should  qualify  for  PWS  funding,  but  it  did  not  clearly  define  the 
group's  role  or  responsibilities.  Since  that  time,  the  PWS  working  group  was 
changed  to  an  advisory  committee  but  it  has  not  operated  for  over  four  years. 

In  2005,  the  Department  developed  a  proposed  framework  for  PWS.  The 
framework  included  suggestions  on  the  PWS  services  and  a  new  committee 
structure  that  included  expert  advisory  groups  and  draft  terms  of  reference  for 
the  committee. 


New  PWS  terms 
of  reference  not 
finalized  or 
implemented 

No  review  of  PWS 
services  since 
2005 


In  January  2008,  the  Department  formed  a  new  PWS  advisory  committee. 
However,  the  Department  has  not  finalized,  approved  or  implemented  the  new 
Committee's  draft  terms  of  reference. 

The  last  complete  review  of  the  services  that  qualify  for  PWS  funding  was  done 
in  2005.  The  PWS  committee  was  responsible  for  updating  the  PWS  service 
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listing  and  annually  reviewing  the  list  of  qualifying  services  to  ensure  they 
continue  to  meet  the  PWS  criteria.  In  the  absence  of  a  functioning  PWS 
committee,  the  Department  has  updated  the  list  of  qualifying  PWS  services  for 
certain  services  and  drugs  and  for  pre-  and  post-transplant  services.  Between 
2005  and  2008,  one  service  and  three  drugs  were  added  to  the  PWS  list.  The 
Department's  Health  Authority  f  unding  and  f  inancial  Accountability  branc  h 
approved  the  additions.  But  it  is  not  clear  who  is  responsible  for  reviewing  these 
recommended  changes — in  the  absence  of  a  PWS  committee.  The  Department 
changed  its  funding  methodology  to  comply  with  changes  in  national  standards. 
However,  it  has  not  reviewed  the  list  of  qualifying  services  as  a  result  of 
methodology  changes. 

The  Department  has  a  PWS  Funding  Procedures  and  Definitions  Manual  (the 
manual).  The  manual  defines  the  process  for  adding  and  removing  health 
services  and  drugs  and  describes  the  funding  methodology.  But  the  manual  has 
not  been  updated  since  December  1999.  And  since  then,  there  have  beeti 
changes  to  PWS,  including  changes  to  PWS  committees  and  funding 
methodologies.  The  manual  does  not  reflect  these  changes. 

The  Department  needs  to  ensure  there  is  clear  responsibility  for  all  critical  PWS 
tasks  and  that  its  own  processes  and  those  of  the  PWS  advisory  committee  are 
defined  and  match  one  another. 

Implications  and  risks  if  recommendation  not  implemented 

Without  a  well-defined  mandate,  the  Committee  may  not  understand  its 
responsibilities.  There  is  a  risk  that  there  could  be  duplication  of  effort  between 
the  Department  and  the  Committee,  as  well  as  gaps.  Without  well-defined 
policies  and  procedures,  services  funded  through  PWS  may  not  meet 
established  criteria  and  the  program  may  not  meet  its  objectives. 

4.    Health  care  registration — implemented 

In  our  1998-1999  Annual  Report  (No.  40— page  200)  and  in  our  2003-2004 
Annual  Report  (No.  21 — page  190),  we  recommend  the  Department  of  Health 
and  Wellness  improve  controls  over  the  health  care  registration  system. 

The  Department  has  implemented  our  recommendation  by: 
•     improving  its  monitoring  controls  for  health-care  applicants.  The 

Department  requires  new  applicants  to  provide  proof  of  residency,  identity, 
and  legal  entitlement  to  be  in  Canada,  before  issuing  a  personal  health 
number  (PHN).  The  health-care  registration  system  will  not  issue  a  PHN 
until  a  customer  service  representative  confirms,  in  the  registration  system, 
that  an  applicant  has  met  all  three  eligibility  criteria  and  documentation  is 
on  file  to  support  the  assessment.  The  Department  also  samples  registrants 


PWS  manual  not 
updated  since 
1999 


Proof  of  eligibility 
required 


Report  of  the  Auditor  General  of  Alberta— October  2008 


305 


Financial  statement  and  other  assurance  audits 


Health  and  Wellness 


to  ensure  they  have  met  eligibility  requirements  and  documentation  is  on 
file  to  support  the  assessment. 
•     investigating  potential  duplicate  personal  health  numbers.  The 

Department's  Registry  Integrity  Unit  has  been  using  software  to  investigate 
the  integrity  of  the  information  in  the  provincial  client  registry.  As  part  of 
this  review,  the  Unit  searches  for  potential  duplicate  records  and  has  a 
process  in  place  to  follow-up  and  resolve  identified  anomalies. 

5.  Outsourced  environment — implemented 

In  our  2006-2007  Annual  Report  (No.  27— page  106)  we  recommended  that  the 
Department  of  Health  and  Wellness  obtain  regular  assurance  that  outsourced 
information  and  technology  is  properly  controlled. 

For  the  year  ended  March  31,  2008.  the  Department  engaged  an  independent 
auditor  to  obtain  assurance  on  internal  controls  for  services  provided  by  its 
primary  service  provider.  We  will  continue  to  monitor  that  the  Department  is 
receiving  assurance  on  its  outsourced  services  on  a  regular  basis. 

6.  Alberta  Health  Services— Calgary  Health  Region 

6.1  Calgary  Health  Region— information  technology  change  management 
controls 

Recommendation 

We  recommend  that  Alberta  Health  Services— Calgary  Health  Region 
improve  its  change  management  policies  and  procedures,  follow  them  and 
implement  monitoring  controls  to  ensure  they  are  complied  with. 

Background 

In  our  2005-2006  Annual  Report  (vol.  2.  page  1 12)  we  recommended  that  the 
Calgary  Health  Region  (the  Region)  improve  its  change  management  controls. 

Criteria:  the  standards  we  used  for  our  audit 

The  Region  should  have  documented  and  effective  change  management 
procedures  to  log,  review,  approve,  test  and  implement  changes.  Segregation  of 
duties  should  also  be  enforced  to  request,  approve  and  implement  a  change. 

Our  audit  findings 

The  Region  has  implemented  formalized  change-management  policies  and 
procedures,  but  documentation  evidencing  compliance  is  not  retained  and  the 
policies  and  procedures  are  not  always  followed.  As  well,  the  Region  does  not 
have  controls  in  place  to  monitor  compliance  with  change-management  policies 
and  procedures. 


Potential  duplicate 
records  monitored 
and  investigated 


Policies  and 
procedures 
implemented  but 
not  followed 
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There  is  also  inadequate  segregation  of  duties  within  the  change-management 
process.  Software  developers  have  access  to  the  production  environment  and 
the  same  developers  who  code  changes  also  implement  them.  External 
contracted  developers  also  have  access  to  the  production  environment. 

Implications  and  risks  if  recommendation  not  implemented 

Unauthorized  or  inappropriate  changes  may  be  made,  which  could  produce 
inaccurate  results,  incorrect  information  for  management  decisions  as  well  as 
incorrect  and  misleading  financial  information. 

6.2  Alberta  Health  Services— Calgary  Health  Region— information 
technology  user  access  management  controls 
Recommendation 

We  recommend  that  the  Alberta  Health  Services — Calgary  Health  Region 
update  its  user  access  management  policies  and  procedures,  follow  them 
and  implement  monitoring  controls  to  ensure  they  are  complied  with. 


Inadequate 
segregation  of 
duties 


Access  controls 
key  to  data 
security 


Background 

Access  controls  for  computer  systems  and  networks  are  one  of  the  most 
important  cornerstones  of  data  security.  Access  controls  ensure  that  users 
cannot  make  unauthorized  or  malicious  changes  to  systems,  applications,  or  the 
data  in  them.  Access  controls  help  ensure  that  financial  and  other  business- 
critical  data  is  complete,  valid,  available,  and  accurate. 


Criteria:  the  standards  we  used  for  our  audit 

The  Calgary  Health  Region  (the  Region)  should  have  documented  and  effective 
procedures  to  control  and  monitor  user  access  to  infrastructure,  applications  and 
data.  The  Region  should  ensure  these  procedures  are  complied  with. 


Procedure  and 

monitoring 

deficiencies 


Our  audit  findings 

The  Region  has  implemented  formalized  user-access  management  policies  and 
procedures  and  has  formalized  periodic  user  account  reviews.  However  we 
found  that: 

•  User-access  management  policies  and  procedures  are  not  always  followed 
nor  are  they  fully  formalized. 

•  User-access  management  policies  have  not  been  updated  to  reflect  changes 
to  operational  processes. 

•  There  is  not  a  strong  process  for  monitoring  compliance  with  user-access 
management  policies  and  procedures. 

•  Not  all  applications  comply  with  the  password  policy  requirements. 
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Implications  and  risks  if  recommendation  not  implemented 

Inadequate  controls  over  user-access  privileges  expose  the  Region  to  the  risk  of 
unauthorized  access.  Unauthorized  access  can  result  in  the  loss  of  data  integrity, 
breaches  of  privacy  and  segregation  of  duties,  unauthorized  transactions,  errors, 
and  fraud. 

6.3  Alberta  Health  Services— Calgary  Health  Region— contracting  for 
consulting  services  -  implemented 

In  our  2006-2007 Annual  Report  (No.  30  -  page  1 14),  we  recommended  that 
the  Calgary  Health  Region  follow  its  contract-management  policy  and 
processes  in  awarding  contracts  for  consulting  services. 

The  Region  has  implemented  our  recommendation.  We  examined  two  contracts 
for  consulting  services;  these  contracts  were  awarded  appropriately  under  the 
Region's  contract-management  policy  and  processes. 

7.    Alberta  Health  Services— Capital  Health 
7.1  Capital  Health— information  technology  security  controls 
Recommendation 

We  recommend  that  Alberta  Health  Services— Capital  Health  improve  its 
information  technology  security  controls  over  user-access  administration, 
privileged  user  accounts,  security  violations,  and  passwords. 

Background 

As  part  of  our  review  of  information  technology  (IT)  general  controls,  we 
examined  IT  security  controls  over  Capital  Health's  computing  environment, 
focusing  on  the  applications  and  supporting  infrastructure  for  finance,  payroll, 
human  resources,  and  contract  management. 

Criteria:  the  standards  we  used  for  our  audit 

Capital  Health  should  have  documented  and  effective  processes  to  control  and 
monitor  user  access  to  infrastructure,  applications  and  data.  They  should  also 
ensure  these  processes  are  complied  with. 

Our  audit  findings 

•     The  IT  process  for  security-access  administration  (new  users,  terminated 
users,  modified  users)  is  decentralized  to  Capital  Health  departments.  Three 
of  the  five  departments  have  not  formalized  this  process  and  do  not 
consistently  keep  records  of  it.  No  review  of  user  accounts  and  user  access 
rights  was  completed  during  the  year  for  purchasing,  information  systems, 
and  HR  users  of  financial  applications  and  network  accounts. 


Inadequate 
monitoring  and 
review  of  IT 
access 
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•  There  is  no  formal  monitoring  for  potential  inappropriate  use  of  accounts 
with  administrative-access  rights  for  both  the  network  and  application 
databases. 

•  There  are  no  formal  periodic  reviews  of  the  network  environment  and 
financial  applications  for  security  violations.  Logging  is  enabled:  however, 
reviews  occur  only  on  an  exception  basis. 

•  There  is  no  formalized  password  policy  or  standard. 

Implications  and  risks  if  recommendation  not  implemented 

The  lack  of  strong  controls  over  IT  security  increases  the  risk  of  inappropriate 
use  and  modification  of  data.  It  also  puts  the  integrity  of  financial  data  at  risk: 
data  may  be  changed,  deleted  and  disclosed  without  authorization. 

7.2  Alberta  Health  Services — Capital  Health— information  technology 
change  management  controls 
Recommendation 

We  recommend  that  Alberta  Health  Services — Capital  Health  improve  its 
information  technology  change-management  controls  over  testing, 
categorizing,  and  reviewing  changes. 

Background 

Capital  Health  had  implemented  a  formal  change-management  process  during 
2008  based  on  the  Information  Technology  Infrastructure  Library  (ITIL) 
framework. 

Criteria:  the  standards  we  used  for  our  audit 

Capital  Health  should  have  documented  and  effective  change  management 
procedures  to  log.  review,  approve,  test  and  implement  changes. 

Our  audit  findings 

Three  of  ten  sampled  changes  to  the  financial  application  had  no  testing 
documentation  on  file.  There  are  no  formal  guidelines  for  what  test  results 
should  be  documented  and  retained. 


Change 
management 
process 
implemented 


Insufficient 
documentation 


Insufficient 
controls  to  ensure 
completeness 


No  review  of 
configuration 
changes 


There  is  no  single  repository  of  all  changes  to  the  application.  Changes  to  an 
application  are  tracked  in  each  business  area.  In  addition,  there  is  no  process  to 
compare — for  completeness — the  changes  recorded  in  the  ITIL  change- 
management  tool  to  the  applications. 

There  are  no  reviews  of  configuration  changes  made  to  the  applications.  As 
well,  there  is  no  formal  configuration-management  database  or  version-control 
process  for  the  applications  to  track  changes. 


Report  of  the  Auditor  General  of  Alberta— October  2008 


309 


Financial  statement  and  other  assurance  audits 


Health  and  Wellness 


Implications  and  risks  if  recommendation  not  implemented 

The  lack  of  strong  controls  over  changes  to  applications  increases  the  risk  that 
applications  may  process  inaccurate  results,  produce  inaccurate  information  for 
management  decisions,  and  produce  incorrect  and  misleading  financial 
information. 

7.3  Alberta  Health  Services — Capital  Health — business  processes — 
implemented 

In  our  2006-2007  Annual  Report  (page  1 10),  we  recommended  that  Capital 
Health  review  its  underlying  processes  to  ensure  that  it  has  reliable,  accurate, 
and  timely  financial  information  for  preparing  financial  statements. 

Management  implemented  the  recommendation  by  taking  the  following  actions: 

•  purchasing  systems — management  improved  the  controls  over  its 
purchasing  systems  and  implemented  a  monthly  process  to  follow  up  on 
outstanding  purchase  orders. 

•  employee  benefit  plans — these  plans  are  now  updated  quarterly  in  the 
financial  records. 

•  Special  Purpose  Fund  accounts — management  reviewed  all  special  purpose 
funds,  closed  89  dormant  ones,  and  confirmed  the  classification  of  each 
fund  as  either  externally  or  internally  established.  Management  updated  its 
policy  to  establish  new  funds. 

7.4  Alberta  Health  Services — Capital  Health — accurate  financial 
information — implemented 

In  our  2005-2006  Annual  Report  (No.  35,  page  126),  we  recommended  that 
management  of  Capital  Health  provide  its  Audit  and  Finance  Committee  with 
complete  and  accurate  financial  information. 

Management  implemented  the  recommendation  by  improving  financial 
reporting  systems  and  processes  as  follows: 

•  management  improved  its  process  to  identify  all  significant  estimates  in  the 
Financial  statements.  Accruals  are  supported  by  monthly  review  processes 
and  quarterly  updates. 

•  the  controls  over  payroll,  purchases,  payables,  payments,  revenues, 
receivables,  receipts,  and  Financial  statement  preparation  are  effective. 

•  management  implemented  a  review  process  to  prevent  and  detect  errors  in 
the  monthly  and  quarterly  Financial  statements  presented  to  the  Audit 
Committee. 


Improved  controls 
over  purchases, 
employee  benefit 
plans  and  special 
purpose  funds 


Improved 
financial  reporting 
processes  and 
systems 
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8.    Alberta  Health  Services— Peace  Country  Health 
8.1  Peace  Country  Health — expense  claims  and  corporate  credit  cards 
controls 

Recommendation 

We  recommend  that  Alberta  Health  Services — Peace  Country  Health 
strengthen  and  follow  its  policies  and  processes  for  employee  expense 
claims  and  corporate  credit  cards.  We  also  recommend  that  Peace  Country 
Health  develop  and  implement  policies  and  guidance  on  appropriate 
expenses  for  hosting  and  working  sessions. 

Background 

81  corporate  credit         At  November  30.  2007.  Peace  Country  Health  (the  Region)  had  81  corporate 
C3rds 

credit  cards,  which  paid  for  approximately  $280,000  in  expenses  between  April 
and  November  2007. 


Criteria:  the  standards  we  used  for  our  audit 

The  Region  should  ensure  that: 

•  expense  claims  and  corporate  credit  card  transactions  comply  with  its 
policies  and  are  appropriately  approved. 

•  original,  itemized  receipts  are  provided  for  all  expenses  incurred  through 
expense  claims  or  corporate  credit  cards. 

•  it  has  policies  for  hosting  and  working  sessions  that  require  documentation 
of  the  individuals  hosted  and  the  purpose  of  the  hosting  event. 


200  corporate 
credit  card  and 
expense  claim 
transactions 
examined 


Our  audit  findings 

We  examined  a  sample  of  employee  expense  claims  and  corporate  credit  card 
transactions  for  the  period  March  -  November  2007,  including  claims  and 
transactions  of  Board  members,  the  CEO,  Vice  Presidents,  and  Executive 
Directors.  Our  examination  of  75  monthly  corporate  credit  card  statements 
(including  157  transactions  from  the  statements)  and  18  expense  claims 
(including  43  transactions  from  the  claims)  found  the  following  policy 
weaknesses  and  non-compliance  cases: 


No  policies  for 
hosting  or  working 
sessions 

Unclear  if  detailed 
itemized  receipts 
required 


Policy  weaknesses 

The  Region  has  a  corporate  credit  card  policy  and  a  travel-approval 
reimbursement  policy,  however  the  policies  need  to  be  improved: 

•  the  Region  does  not  have  policies  for  hosting  or  working  sessions. 
Therefore,  it  is  not  clear  when  it  is  appropriate  to  incur  these  expenses — or 
what  documentation  is  required  to  support  them. 

•  policies  on  both  corporate  credit  cards  and  travel  and  reimbursement  state 
that  original  receipts  are  required.  However  clarification  on  the  nature  and 
extent  of  the  support  is  required.  In  some  cases,  employees  provided 
detailed  itemized  receipts;  others  only  provided  credit  card  slips.  Without 
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Business  purpose 
not  documented 


detailed  itemized  receipts,  it  is  difficult  for  reviewers  to  assess  the 
appropriateness  of  the  expenses. 

there  is  no  requirement  to  document  the  business  purpose  for  corporate 

credit-cards  transactions. 

the  Region  has  no  expense-claim  policy. 


Supporting 
documentation  not 
provided  and 
transactions  not 
approved 


Cases  of  non  compliance  with  existing  polices 

•  In  12  expense  claim  transactions,  no  supporting  documentation  was 
provided. 

•  Twenty  five  monthly  corporate  credit-card  statements  were  not  approved 

by  the  employee's  supervisor. 


Ineffective 
controls  can  lead 
to  fraud  and  abuse 


Implications  and  risks  if  recommendation  not  implemented 

Insufficient  and  vague  policies,  as  well  as  ineffective  control  processes  to 
monitor  compliance  with  policies,  can  lead  to  abuse  and  fraudulent  transactions 
and  claims.  The  Region  may  reimburse  employees  or  pay  for  expenses  that  are 
not  for  its  business. 


8.2  Alberta  Health  Services — Peace  Country  Health — contract 
documentation 
Recommendation 

We  recommend  that  Alberta  Health  Services — Peace  Country  Health 
develop  and  implement  a  sole-sourcing  policy  for  contracts  and  ensure  that 
sole-sourcing  is  clearly  documented  and  justified.  We  also  recommend 
Alberta  Health  Services — Peace  Country  Health  ensure  contract 
amendments,  including  changes  to  deliverables,  are  documented  and 
agreed  to  by  both  parties. 


Policies  for 
tendering  and 
obtaining  quotes 


Background 

Peace  Country  Health's  (the  Region)  Tendering  of  Contracts  and  Request  for 
Proposal  Process  says  contracts  will  be  clearly  defined,  competitively  sourced, 
thoroughly  analyzed  and  appropriately  awarded.  The  Region's  Competitive 
Quotes  policy  also  says  that  competitive  quotes  must  be  obtained  for  the 
purchase  of  supplies,  equipment  and  services  from  $1,000  to  $100,000. 


Contract  entered 
into 


The  Region  entered  into  a  contract  with  an  independent  contractor  in 
April  2007.  The  contract  was  for  three  months  at  $12,000  per  month.  It  required 
the  contractor  to  participate  in  developing  and  evaluating  an  accountability 
framework  for  the  Region.  It  paid  the  contractor  $72,000  between  April  and 
September  2007. 
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Criteria:  the  standards  we  used  for  our  audit 

•  Contracting  competitions  should  be  open,  fair  and  achieve  good  value.  A 
sole-sourcing  policy  should  be  in  place  and  followed.  Sole-sourcing  should 
be  clearly  justified  and  documented. 

•  Contract  amendments,  including  changes  to  the  term  or  contract 
deliverables,  should  be  justified,  authorized  and  documented. 


No  sole-sourcing 
policy 


No  documentation 
for  sole  sourcing 
decision 


Our  audit  findings 

The  Region  does  not  have  a  policy  for  sole-sourcing  contracts.  The  only 
reference  to  sole  sourcing  is  in  the  Competitive  Quotes  policy,  which  states  that 
sole  sourcing  is  an  exception  to  the  policy.  Management  told  us  that  the 
Region's  Strategic  Leadership  Team  (SLT)  agreed  that  they  needed  a  dedicated 
resource  to  develop  the  accountability  framework.  The  SLT  meeting  minutes 
identified  that  the  CEO  was  to  contact  a  specific  contractor  to  develop  the 
framework  but  we  could  not  find  any  documentation  evidencing  why  the 
Region  sole-sourced  the  contract  to  the  specific  contractor. 


Contract  not 
amended  for 
additional 
deliverables  and 
extended  term 


The  contract  was  extended  for  three  months  but  no  documentation  explained  the 
extension.  The  contract  stated  that  the  contractor  was  to  participate  in 
developing  and  evaluating  an  accountability  framework.  By  reviewing 
documentation,  we  learned  that  the  contractor  also  participated  in  developing  a 
capital  plan  and  researched  the  impact  of  population  growth  in  Northern 
Alberta.  These  additional  deliverables  were  not  documented  in  the  contract  and 
the  Region  did  not  amend  the  contract  for  the  extended  term  or  the  additional 
deliverables. 


Implications  and  risks  if  recommendation  not  implemented 

Without  sufficient  documentation  to  support  contracting  decisions,  the  Region 
will  not  be  able  to  show  that  it  used  a  clear  and  transparent  process  and  that  it 
adequately  justified  and  supported  its  contract  decisions. 

8.3  Alberta  Health  Services — Peace  Country  Health — information 
technology  user  access 
Recommendation 

We  recommend  that  Alberta  Health  Services — Peace  Country  Health 
establish  a  process  to  periodically  review  computer  system  user-access 
rights  to  ensure  they  are  appropriate. 

Background 

Access  controls  for  computer  systems  and  networks  are  one  of  the  most 
important  cornerstones  of  data  security.  Access  controls  ensure  that  users 
cannot  make  unauthorized  or  malicious  changes  to  systems,  applications,  or  the 


Access  controls 
key  to  data 
security 
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data  in  them.  Access  controls  help  ensure  that  financial  and  other  business- 
critical  data  is  complete,  valid,  available,  and  accurate. 

Criteria:  the  standards  we  used  for  our  audit 

Computer  system  access  should  be  approved  by  the  appropriate  official, 
removed  promptly  for  terminated  employees,  and  reviewed  periodically  to 
ensure  it  is  appropriate. 

Our  audit  findings 

The  Peace  Country  Health  (the  Region)  does  not  have  formal  policies  or 
processes  that  require  periodic  review  of  computer  system  access  rights.  While 
the  Region  has  implemented  a  process  for  setting  up  and  removing  access  for 
new  hires,  terminations  and  transfers,  it  does  not  promptly  remove  access  for 
terminated  employees.  We  sampled  five  employees  terminated  during  the  year 
and  found  that  access  for  two  of  them  was  not  removed  promptly — one 
terminated  in  August  2007  and  the  other  in  September  2007.  Yet  both 
employees  still  had  access  to  the  financial  system  in  February  2008,  when  we 
completed  our  testing.  If  the  Region  had  a  periodic  access-review  process, 
management  would  have  likely  found  that  these  terminated  employees  still  had 
access  and  then  terminated  it. 

Implications  and  risks  if  recommendation  not  implemented 

Unauthorized  users  can  access  financial  information.  They  can  change  and 
delete  it,  or  make  it  public  for  fraudulent  or  malicious  purposes. 

Alberta  Alcohol  and  Drug  Abuse  Commission  (AADAC) 

Improve  controls  over  contracting — satisfactory  progress 

In  2006-07,  we  recommended1  that  AADAC  improve  internal  controls  over 

contracting  by  ensuring  adequate  segregation  of  duties  existed  over  the 

contracting  process,  and  by  monitoring  contract  deliverables. 

AADAC  has  improved  internal  controls  over  contracting  by: 

•  establishing  an  internal  Contract  Review  Committee  (CRC)  to  review  all 
contracts  and  grants  in  excess  of  $10,000. 

•  providing  contract  training  for  all  employees  at  a  manager  level  and  higher. 

•  reporting  quarterly  on  all  contracts  and  grants. 

In  all  cases  except  one,  the  grant  and  contract  files  we  reviewed  during  our 
work  were  well  documented  and  properly  approved,  with  deliverables 
verified  and  reviewed  before  payments  were  processed. 


1  Report  of  the  Auditor  General  of  Alberta— November  2006,  Recommendation  No.  1  -  pg.  14.  
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One  grant  paid 
outside 
established 
processes 


Value  for  grant 
received  but  high 
risk 


But  AADAC  signed  a  $250,000  grant  agreement  in  March  2008  and  failed 
to  follow  established  processes  in  two  ways: 

•  the  grant  was  approved  outside  of  the  CRC  process — there  was  no 
evidence  of  CRC  review. 

•  the  grant  agreement  called  for  payments  up  to  $250,000  when  AADAC 
received  invoices  supporting  expenditures  for  a  media  campaign  by  a  third 
party.  But  AADAC  paid  the  $250,000  two  months  before  it  received  the 
supporting  invoices. 

We  are  satisfied  that,  in  this  case,  AADAC  received  value  for  the  grant,  but 
the  risk  of  improper  payments  is  high  if  proper  procedures  are  not 
followed. 


Proper  segregation 
of  duties  evident 


What  remains 


We  also  reviewed  10  other  large-dollar  grant  agreements  approved  in 
March  2008.  CRC  approved  2  of  them;  the  other  8  were  approved  by 
management,  but  not  through  the  established  CRC  process.  A  key  CRC 
function  is  to  ensure  adequate  segregation  of  duties  exists  in  the  contracting  and 
granting  process.  Segregation  of  duties  was  maintained  on  these  grants,  as 
appropriate  approvals  were  received  before  the  grant  agreements  were  signed. 
However,  CRC's  rigor,  transparency  and  authority  may  be  questioned  if  there 
are  deviations  from  the  CRC  process  as  a  matter  of  expediency.  As  this  was 
CRC  's  first  full  year  of  operation,  we  anticipate  that  AADAC  will  review  these 
exceptions  and  make  any  necessary  process  adjustments. 

To  fully  implement  this  recommendation,  AADAC  needs  to  ensure  that 
controls  over  contracting  are  working  effectively  and  CRC  reviews  all  contracts 
in  accordance  with  the  policy. 


AADAC  needed 
to  check 
backgrounds 


AADAC  now 
checks 
prospective 
employees 


9.2  Verify  academic  credentials  and  do  criminal-record  checks — 
implemented 

In  2006-07,  we  recommended2  that,  for  prospective  employees,  AADAC  verify 
academic  credentials  such  as  university  diplomas  with  granting  institutions  and 
do  criminal-record  checks  according  to  its  policy. 

We  reviewed  employment  applications  for  manager  level  and  higher  positions 
hired  in  the  year  ended  March  31,  2008.  AADAC  is  verifying  academic 
credentials  and  doing  criminal-record  checks  on  prospective  employees  and 
newly  appointed  expenditure  officers. 


2  Report  of  the  Auditor  General  of  Alberta— November  2006,  Recommendation  No.  2  -  pg.  16. 
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AADAC  needed 
reports 


9.3  Receive  annual  reporting  on  internal  controls — satisfactory  progress 
Background 

In  2006-07,  we  recommended^  that  the  AADAC  Board,  at  least  annually, 
receive  reports  from  management  on  the  design  and  effectiveness  of  AADAC 's 
internal  controls. 


Better  controls  as 
a  resull  of  audits 


Our  audit  findings 

Since  the  release  of  our  November  2006  report,  AADAC  has  been  audited  by 
the  Government  of  Alberta's  Central  Internal  Audit  Services  and  a  third-party 
consulting  organization.  It  has  worked  to  strengthen  its  contracting  processes 
and  internal  controls  based  on  recommendations  from  these  audits. 


Regular  reporting 
to  Board  needed 
for  risk- 
management 
framework 


To  finish  implementing  this  recommendation,  AADAC  needs  to  establish  a 
regular  routine  of  reporting  to  the  Board  on  the  design  and  effectiveness  of 
internal  controls,  based  on  a  risk-management  framework. 


Improved 
monitoring  of 
cancer-drug  costs 


Health  and 
Wellness  Minister 
is  responsible  for 
HQCA 


10.  Alberta  Cancer  Board  cancer-drug  programs — implemented 

In  our  2001-2002  Annual  Report  (No.  25— page  140),  we  recommended  that 
the  Board  improve  systems  for  managing  cancer-drug  programs. 

The  Board  has  implemented  our  recommendation  by: 

•  improving  its  financial  monitoring  of  cancer-drug  costs.  Management 
reviews  monthly  and  quarterly  drug  costing  and  utilization  reports. 

•  tracking  information  on  patient  outcomes  and  drug-treatment  costs.  The 
Board  is  also  considering  software  that  would  allow  it  to  extract  data  from 
multiple  systems  and  produce  information  for  further  analysis. 

1 1 .  Health  Quality  Council  of  Alberta  (HQCA)— Investigative  Approach 
11.1  Summary 

The  Health  Quality  Council  of  Alberta  is  an  independent  organization  legislated 
under  the  Regional  Health  Authorities  Act4  to  measure,  monitor  and  assess 
patient  safety  and  health  service  quality.  HQCA  is  accountable  to  the  Minister 
of  Health  and  Wellness. 


HQCA 

investigates  but 
does  not  regulate 


HQCA  conducts  investigations  at  the  request  of  the  Minister  or  a  Regional 
Health  Authority  (an  Authority) ,  and  makes  recommendations  for 
improvement.  It  is  not  a  regulator.  For  Minister-requested  investigations,  the 
Minister  decides  whether  to  accept  recommendations;  if  he  or  she  does,  the 
Ministry  of  Health  and  Wellness  (the  Ministry)  implements  them. 


J  Report  of  the  Auditor  General  of  Alberta— November  2006.  Recommendation  No.  3  -  pg.  17. 

4  See  Section  17  of  the  Regional  Health  Authorities  Act.  HQCA  was  established  under  the  Health  Quality  Council  of  Alberta 
Regulation  130/2006  on  July  1.  2006.  
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HQCA  has  no 
professional 
disciplinary  role 


Examined 
HQCA's 
investigation 
processes 


HQCA  has 
adequate  systems 


HQCA  still 
refining  its 
processes 


Suggestions  to 
further  improve  its 
practices 


While  the  HQCA  is  a  health  monitoring  agency  seeking  to  improve  patient 
safety  and  health  service  quality  through  recommendations  to  improve  systems, 
it  leaves  professional  disciplinary  actions  that  are  identified  in  its  investigations 
to  the  appropriate  regulatory  authorities.  It  has  no  authority  to  sanction  any 
person  or  organization. 

The  objective  of  our  audit  was  to  determine  whether  HQCA  has  systems  to 
ensure  that  its  investigations  are  fair  and  complete.  Our  audit  focused  on 
policies  and  procedures  for  Minister-directed  investigations.  We  did  not  audit 
or  judge  policy  decisions  related  to  recommendations  made. 

We  used  the  HQCA  s  Minister-requested  investigation  of  infection  control 
issues  at  a  Vegreville  hospital  (East  Central  Review)  as  the  basis  for  our  audit 
to  better  understand  how  HQCA  does  its  work.  HQCA  issued  a  report  on  its 
investigation  in  July  2007. 

We  conclude  that  HQCA  has  adequate  systems  to  ensure  that  its  investigations 
into  improved  patient  safety  and  health-service  quality  are  fair  and  complete, 
and  its  recommendations  are  supported.  HQCA  has  developed  a  comprehensive 
set  of  policies  to  manage  Minister-directed  investigations.  It  had  appropriate 
evidence  to  support  the  recommendations  in  its  East  Central  Report. 

HQCA  is  still  in  a  developmental  stage  and  is  refining  its  investigative 
approach  and  systems.  HQCA  seeks  to  continuously  improve  its  policies  for  its 
investigative  process  to  add  value  to  health  organizations  that  it  reviews.  We 
have  identified  ways  for  HQCA  to  further  improve  its  policies  and  systems 
including: 

•  improving  its  policy  to  provide  better  guidance  to  investigative  teams  on 
methodologies  and  standards. 

•  providing  guidance  on  using  legal  assistance  in  investigations. 


1 1 .2    HQCA— Investigative  Role  Policy 
Recommendation 

We  recommend  that  the  Health  Quality  Council  of  Alberta  improve  its 
Investigative  Role  Policy  by  defining  or  providing  guidance  on: 

•  methodologies  for  different  circumstances. 

•  medical  standards  for  planning  and  conducting  investigations. 


Various 

methodologies 

available 


Background 

Various  methodologies  and  procedures  can  be  used  for  investigations.  During 
the  East  Central  Review,  HQCA  used  several  investigative  methodologies 
including  root-cause  analysis,  brainstorming,  document  reviews,  collection  of 
photographic  evidence,  individual  and  group  interviews,  sampling  and  process 
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walkthroughs.  Other  procedures  include  "the  5  whys",  hypothesis  testing, 
means-end  analysis,  collection  of  video  evidence,  case  studies,  surveys, 
benchmarking,  and  statistical  analysis.  Each  methodology  or  procedure  has 
strengths  and  weaknesses. 

Several  widely  respected  international  organizations  issue  best  practice 
guidelines  for  a  wide  range  of  health  topics — information  that  is  critical  to 
performing  investigations  because  it  helps  to  establish  baselines  for  expected 
performance.  Pre  selecting  medical  standards  ensures  that  medical  processes 
reviewed  over  time  and  at  different  sites  are  consistently  evaluated. 

Our  audit  findings 

HQCA's  Investigative  Role  Policy  does  not  include  guidance  on  different 
review  methodologies  and  procedures  for  different  types  of  investigations. 
Generally,  HQCA  can  be  asked  to  review  specific  health  issues  (for  example, 
Methicillin-Resistant  Staphylococcus  aureus  or  MRSA)  or  can  be  asked  to 
review  health-related  systems  to  improve  the  effectiveness  and  efficiency  of 
individual  processes.  The  appropriate  methodology  will  depend  on  the  nature  of 
the  issue  it  is  investigating. 

Consultants  used  HQCA  is  responsible  to  ensure  the  quality  of  its  investigations  and  may  use 

external  medical  consultants.  Because  external  consultants  may  be  unfamiliar 
with  HQCA  policies,  explicit  guidance  on  various  review  methodologies  is 
critical.  All  members  of  the  East  Central  review  investigative  team  were 
consultants  so  the  quality  of  the  work  relied  heavily  on  their  medical  expertise 
and  experience.  Guidance  from  an  inventory  of  methodologies  would  assist 
future  projects  where  team  experience  in  particular  areas  may  be  varied. 

HQCA  s  Investigative  Role  Policy  does  not  refer  to  acceptable  medical 
standards  to  use  in  different  types  of  investigations.  During  the  East  Central 
review,  HQCA  used  the  Canada  Safety  Association  standards  to  establish 
review  criteria.  The  following  organizations  publish  source  material  that  HQCA 
could  have  considered: 

•  World  Health  Organization. 

•  Association  for  Professionals  in  Infection  Control  and  Epidemiology. 

•  Canadian  Journal  of  Infectious  Disease  Medical  Microbiology. 

•  Public  Health  Agency  of  Canada. 

•  Center  for  Disease  Control  and  Prevention. 

•  Ontario  Ministry  of  Health  and  Long  Term  Care. 

In  August  2007,  the  Ministry  published  its  MRSA  Infection  Prevention  and 
Control  (IPC)  Guidelines.  Of  the  1 1  basic  infection  control  standards  the 
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Ministry  Identified,  the  HQCA  team  did  not  include  the  following  for  their 
review  purposes: 

•  patient  placement  practices. 

•  transportation  of  infectious  patients. 

HQCA  contemplated  these  standards  but  did  not  consider  them  critical  for  the 
East  Central  Review. 

Implications  and  risks  if  recommendation  not  implemented 

Failure  to  identify  appropriate  medical  standards  and  methodologies  for 
different  types  of  investigations  may  lead  to  inappropriate,  inconsistent  or 
missed  observations. 

1 1 .3    HQCA — guidance  on  using  legal  assistance 
Recommendation 

We  recommend  that  the  Health  Quality  Council  of  Alberta  provide 
guidance  on  use  of  legal  assistance  when  conducting  investigations. 

Background 

Activities  requiring  disciplinary  action  are  to  be  directed  to  the  appropriate 
professional  body. 

Our  audit  findings 

HQCA's  Investigative  Role  Policy  states  that  the  appropriate  authority  is  to  be 
contacted  if  negligence  or  criminal  intent  is  identified  during  an  investigation. 
The  Policy  does  not  guide  the  teams  by  defining  negligence  or  criminal  intent, 
nor  does  the  policy  suggest  the  review  team  should  use  legal  help  in  deciding 
when  it  should  notify  governing  bodies.  The  East  Central  review  team 
discussed  with  legal  counsel  the  implications  of  gathering  evidence  under  the 
Alberta  Evidence  Act.  However,  there  was  no  indication  that  assessing  or 
interpreting  evidence  of  negligence  or  criminal  intent  was  discussed. 

Implications  and  risks  if  recommendation  not  implemented 

Failure  to  seek  legal  assistance  while  considering  whether  negligence  or 
criminal  intent  caused  patients  harm  may  compromise  the  completeness  of 
investigations.  As  a  result,  negligence  or  criminal  behaviour  may  go  unreported 
to  the  appropriate  authorities. 


Policy  lacks 
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Unqualified 
auditor's  reports 


Performance  reporting 

Financial  statements 

Our  auditor's  reports  on  the  Ministry  and  Department  financial  statements  for  the 
year  ended  March  31.  2008  are  unqualified.  The  Ministry  consolidated  the  health 
authorities  and  health  boards  using  the  modified  equity  method.  The  modified  equity 
method  is  allowed  as  a  transition  to  line-by-line  consolidation,  which  will  be 
required  for  the  year  ending  March  31,  2009.  Under  line-by-line  consolidation,  the 
Ministry's  capital  assets  would  have  been  fully  consolidated  so  net  assets  at 
March  31.  2008  would  have  increased  by  approximately  $5.9  billion. 


We  issued  unqualified  auditor's  reports  on  the  financial  statements  for  the  year 
ended  March  31.  2008  of  the  following  entities: 
Alberta  Alcohol  and  Drug  Abuse  Commission 
Alberta  Cancer  Board  and  Alberta  Cancer  Foundation 
Alberta  Mental  Health  Board 

Calgary  Health  Region,  and  Carewest,  its  wholly-owned  subsidiary 
Capital  Health,  and  Capital  Care  Group  Inc.,  its  wholly-owned  subsidiary 
Chinook  Regional  Health  Authority 
East  Central  Health 
Health  Quality  Council  of  Alberta 
Northern  Lights  Health  Region 
Peace  Country  Health 


The  appointed  auditors  of  the  three  Health  Authorities  we  did  not  audit— Aspen 
Regional  Health  Authority,  Palliser  Health  Region  and  David  Thompson  Health 
Region— issued  unqualified  auditor's  reports  on  their  financial  statements  for  the 
year  ended  March  31,  2008. 


Performance  measures 
No  exceptions        We  did  not  report  any  exceptions  on  the  results  of  applying  specified  procedures  to 
the  Ministry's  performance  measures  in  the  Ministry's  2007-2008  Annual  Report. 
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Infrastructure  and  Transportation 

Our  audit  findings  and  recommendations 

Highway  transfers— implemented 

Recommendation     In  our  2006-2007  Annual  Report  (vol.  2,  page  1 20) ,  we  recommended  that  the 
implemented         Ministry  monitor  highway-transfer  agreements  to  ensure  that  transactions  are 
appropriately  recorded  in  its  financial  statements. 


P  The  Ministry  implemented  our  recommendation  by  improving  its  internal 

V  communication  process.  The  Transportation  Civil  Engineering  division  informs  the 

Finance  division  of  any  agreements  it  enters  into  to  enable  Finance  to  assess  the 
financial  reporting  implications. 


Performance  reporting 

Financial  statements 

Unqualified  Our  auditor's  report  on  the  Ministry's  financial  statements  for  the  year  ended 

auditor  s  report        March  31  2008  [s  unqualified. 

Performance  measures 
One  exception       We  found  one  exception  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 

We  found  an  exception  for  the  measure  Physical  Condition  of  Learning  Facilities  - 
Schools  in  good,  fair,  or  poor  condition.  We  were  unable  to  conclude  that  the  results 
presented  were  reliable  because  we  were  unable  to  verify  changes  made  by  the 
Ministry  to  the  external  consultants'  reports  used  to  prepare  the  measure. 
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Use  effective  IT 
controls  for  risks 


International,  Intergovernmental  and 
Aboriginal  Relations 

Summary  of  our  recommendations 

The  Ministry  of  International  and  Intergovernmental  Relations  should  develop  an  IT 
control  framework  — see  page  51. 


Monitor 
international 
offices  better 


The  Ministry  should  strengthen  its  systems  for  monitoring  and  assessing  the 
effectiveness  and  efficiency  of  its  10  international  offices — see  pages  324  and  326. 


Alberta  actively 
participates  in 
global 
marketplace 


Our  audit  findings  and  recommendations 

1.    International  offices  review 

Alberta's  economy  relies  on  actively  participating  in  the  global  marketplace.  In 
2006.  trade  and  investment  accounted  for  nearly  70%  of  Alberta's  gross 
domestic  product.1  As  new  business  opportunities  arise  abroad,  many  Alberta 
businesses  may  need  help  overcoming  the  barriers  to  developing  business 
relationships  in  foreign  countries.  Differences  in  language,  culture,  business 
practices  and  laws  can  make  dealing  with  organizations  in  other  countries  a 
challenge. 


Alberta  has  ten 

international 

offices 


The  Ministry  of  International  and  Intergovernmental  Relations  has  10 
international  offices  to  promote  Alberta  businesses  internationally  and  to  help 
them  connect  with  foreign  markets.  The  offices  are  in  Washington.  China  (2), 
Hong  Kong,  Taiwan,  United  Kingdom,  Mexico,  Germany,  Korea  and  Japan. 
The  Washington  office  has  a  slightly  different  goal  than  the  others:  to  promote 
Alberta's  economic  and  policy  interests  to  high-level  US  decision-makers. 


$9.25  million 
budget  in  2007-08 
for  international 
offices 


The  international  offices'  budget  for  2007-08  was  $7.5  million,  plus 
approximately  $750,000  for  housing  and  $1  million  for  office  space  which  are 
both  paid  by  the  Department  of  Infrastructure.  Seven  of  the  ten  offices  are 
co-located  in  Canadian  embassies  and  share  federal-government  systems  and 
administrative  support.  The  other  three  (in  Japan.  Hong  Kong  and  China)  are 
stand-alone  offices  with  their  own  systems  and  administrative  processes. 


Alberta  Foreign  Offices  Review  Committee  report  p. 2 
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1.1  Evaluating  international  offices'  performance 
Recommendation 

We  recommend  that  the  Ministry  of  International  and  Intergovernmental 
Relations  improve  the  processes  management  uses  to  evaluate  the 
performance  of  each  international  office. 


Ministry  has  a 
performance- 
measure 
framework 


Performance 
should  be 
monitored 


Evaluation 
process  can 
improve 


Formal  cost- 
effectiveness 
reviews  should  be 
conducted 


Background 

The  Ministry  developed  a  performance-measure  framework  to  support 
management's  evaluation  of  the  performance  of  the  10  international  offices. 
Each  month,  using  methodologies  defined  by  the  Ministry,  the  offices  collect 
and  report  data  to  the  Ministry  for  14  performance  measures.  Senior 
management  reviews  the  performance-measure  results  each  quarter  and  follows 
up  unexpected  results  with  the  Managing  Director  of  each  office. 
Annually,  a  summary  of  the  results  is  included  in  an  Activity  Report  thai 
publicly  discloses  the  activities  of  the  international  offices. 

Also,  the  Ministry's  Annual  Report  includes  three  user-satisfaction  performance 
measures  compiled  by  the  Ministry  every  two  years  to  further  support 
management's  evaluation  of  the  offices. 

Criteria:  the  standards  we  used  for  our  audit 

The  Ministry  should  monitor  clear  measures  of  performance  by  the  international 
offices  and  effectively  manage  any  risks. 

Our  audit  findings 

The  Ministry  partly  met  this  criterion.  Its  performance-measure  framework 
supports  management's  assessment  of  the  level  of  activity  that  each  office  has 
achieved  compared  to  targets.  However,  management  does  not  periodically 
review  the  international  offices  in-depth  to  ensure  each  continues  to  be  relevant 
and  cost-effective.  Also,  management  does  not  include  variance  analyses  and 
definitions  for  the  14  performance  measures  in  its  annual  Activity  Report. 

a)    No  periodic  assessment  of  the  offices'  continued  relevance  and  cost- 
effectiveness 

The  Ministry  reviews  the  offices'  performance-measure  results  regularly  and 
management  has  a  good  understanding  of  each  office's  activities.  But  the 
Ministry  does  not  periodically  do  a  formal  comprehensive  review  to  carefully 
examine  the  continued  relevance  and  cost-effectiveness  of  each  international 
office.  During  these  reviews,  the  Ministry  should  consider  whether: 
•     each  office  continues  to  have  the  right  focus  given  changes  in  Alberta's 
market  and  the  ever-changing  global  marketplace. 
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•  the  offices  continue  to  meet  Ministry  objectives  efficiently  given  changes 
in  local  economies. 

•  the  offices  are  in  the  right  markets  to  achieve  the  Ministry's  goal  of 
Hincreas[ing]  exports  of  Alberta's  goods  and  services.  " 

An  MLA  review  committee  recently  reviewed  the  international  offices  and 
published  recommendations  in  the  Alberta  Foreign  Offices  Review  Report.  This 
type  of  review  had  not  been  performed  in  over  a  decade.  Management  should 
conduct  a  similar  review  as  part  of  a  regularly  scheduled  process,  and  include  a 
cost-benefit  analysis  of  each  office  as  part  of  the  review. 

b)    Public  performance  reports  can  be  more  useful 

The  annual  Activity  Report  contains  helpful  indicators  of  performance,  such  as 
"number  of  business  introductions"  made  by  the  offices;  however,  management 
should  consider  the  following  improvements  to  the  Report: 

•  adding  variance  analyses. 

•  defining  the  performance  measures  and  describing  the  methodologies  used 
to  compile  the  data. 

The  Activity  Report  does  not  include  variance  analyses  supplied  by  the  offices 
to  explain  significant  deviations  from  targets  and  prior  performance.  In  the 
2006-07  Activity  Report,  most  targets  were  significantly  exceeded.  For 
example,  the  actual  "number  of  missions/delegations  to  the  target  market" 
exceeded  the  target  by  almost  25%,  but  there's  no  explanation  why.  Variance 
analyses  help  readers  understand  the  effect  that  the  international  offices  and 
external  factors  (such  as  mad  cow  disease  in  the  beef  industry)  have  on  results. 

The  Activity  Report  lacks  performance-measure  definitions  and  methodology 
descriptions  to  clarify  what  the  measures  mean  and  how  they  were  compiled. 
This  is  particularly  important  when  measures  are  not  intuitive.  For  example,  for 
the  measure  "Number  of  Companies  Participating",  it  is  not  clear  what  the 
companies  are  participating  in.  The  Ministry  gave  us  the  following  definition: 
"The  number  of  international  companies  or  potential  investors  involved  in 
delegations  to  Alberta."  Without  this  context,  readers  would  not  likely  know 
what  the  measure  reports. 

It  is  also  important  to  describe  the  methodology  used  to  compile  measures  when 
data  may  have  limitations,  such  as  estimates,  so  that  readers  know  the 
limitations.  For  example,  the  measure  "Number  of  Business  Introductions"  can 
be  difficult  to  substantiate  because  of  the  way  these  introductions  occur  at 
certain  events  such  as  trade  shows.  The  international  offices  track  the 
introductions,  but  they  don't  always  give  details  of  who  met  whom  to  the 
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Ministry.  In  these  cases,  the  submitted  totals  may  reflect  a  best-efforts  attempt 
to  count  each  introduction;  the  actual  totals  may  differ. 

Implications  and  risks  if  recommendation  not  implemented 

Things  change  quickly  in  the  global  marketplace  so  management  needs  current 
and  reliable  information  on  the  continued  relevance  and  cost-effectiveness  of 
each  office.  Without  regularly  scheduled,  thorough  reviews  of  each  office, 
management  may  not  be  able  to  effectively  manage  any  risks  to  achieving  its 
goal  of  "increas[ing]  exports  of  Alberta'  goods  and  services."  Also, 
improvements  to  the  Activity  Report  described  above  would  help  readers  review 
and  assess  the  international  offices'  performance. 

1.2  Ensuring  effective  information-system  controls 
Recommendation 

We  recommend  that  the  Ministry  of  International  and  Intergovernmental 
Relations  obtain  assurance  that  information-system  controls  are  effective 
at  the  international  offices  and  that  relevant  Government  of  Alberta  IT 
policies  and  standards  are  being  met. 

Background 

The  seven  international  offices  at  Canadian  embassies  share  the  federal 
government's  systems,  servers  and  administrative  processes.  All  international 
office  payments  are  processed  on  embassy  systems  by  embassy  staff  and  paid 
out  of  Ministry  advance  accounts  for  each  office.  At  each  month-end,  the 
federal  government  prepares  a  Summary  of  Expenses  paid  on  behalf  of  each 
office  through  the  federal  systems  and  submits  it,  along  with  supporting 
receipts,  to  the  Ministry  for  replenishment  of  the  advance  accounts.  The  three 
non-embassy  offices  use  their  own  systems  to  process  all  payments  and  then  bill 
the  Ministry  monthly  to  replenish  their  advance  accounts. 

Criteria:  the  standards  we  used  for  our  audit 

The  Ministry  should  obtain  timely,  relevant  and  reliable  performance  and 
financial  information  from  each  international  office.  Specifically,  the  Ministry: 

•  and  the  international  offices  should  have  appropriate  security  measures  for 
the  information  systems  that  collect,  store  and  transmit  data. 

•  should  obtain  assurance  that  adequate  systems  are  in  place  at  the  offices 
and  that  controls  are  functioning  appropriately. 

Our  audit  findings 

The  Ministry  partly  met  this  criterion.  It  obtains  timely,  relevant  and  reliable 
performance  and  financial  information  from  each  office  monthly.  But  it  needs 
to  ensure  the  offices  have  appropriate  security  measures  in  place  to  protect 
information  systems.  The  Ministry  relies  on  the  federal  government  (for 
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Updated  inventory 
of  IT  systems  and 
controls  needed 


systems  at  the  embassy  offices)  and  international  office  staff  (tor  systems  at  the 
stand-alone  offices)  to  establish  and  maintain  adequate  controls  over  IT 
systems.  However,  the  Ministry  does  not  receive  assurance  over  their  control 
environment.  This  practice  does  not  meet  today's  expectations  regarding 
management's  obligations  to  ensure  adequate  controls  are  in  place  and 
functioning  appropriately. 

a)    No  listing  of  systems,  controls  and  standards  at  the  international  offices 
The  Ministry  does  not  have  an  up-to-date  detailed  listing  of  the  computer 
systems,  the  controls  in  place  and  the  IT  standards  followed  at  the  10 
international  offices.  The  Ministry  hired  a  consultant  to  review  the  offices  in 
2002.  including  making  an  inventory  of  the  hardware  and  software  systems. 
This  list  has  not  been  updated  since  then.  The  review  focused  on  computer 
systems  and  user  concerns,  not  on  controls  in  place  or  the  IT  policies  and 
standards  being  followed. 


No  assurance  that 
controls  are 
effective 
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federal  systems 
and  processes  but 
no  assurance  that 
controls  are 
effective 


Three  offices 
contract  with  local 
IT  companies  but 
no  assurance  that 
controls  are 
effective 


b)    No  assurance  that  systems  and  controls  are  effective  and  meet  GoA 

policies  and  standards 
The  Ministry  does  not  receive  assurance  that  systems  and  controls  are 
appropriate  and  functioning  as  intended  at  the  international  offices.  The 
Ministry's  Information  Management  &  Technology  division  currently  provides 
minimal  IT  guidance  to  the  staff  at  the  offices  and  the  division  is  not  direr!  1\ 
involved  in  setting  up  or  maintaining  offices'  equipment  or  software.  The 
Ministry  needs  assurance  that  controls  are  effective  and  that  Government  of 
Alberta  (GoA)  policies  and  standards  for  IT  are  met  at  all  offices. 

The  seven  offices  in  Canadian  embassies  use  federal-government  servers  and 
hardware;  however,  the  Ministry  has  no  arrangements  to  receive  assurance  from 
the  federal-government  that  controls  are  effective.  The  Ministry  should  verify 
that  federal  standards  followed  by  these  offices  meet  applicable  GoA  policies 
and  standards  in  areas  such  as  IT  systems  security  (passwords,  firewalls,  etc) 
and  transmission  of  personal  information. 

The  three  offices  not  in  embassies  (Japan,  Hong  Kong.  China)  have  their  own 
financial  and  operating  systems  and  they  contract  directly  with  local  IT 
companies  for  maintenance  and  support.  The  Ministry  relies  on  the  staff  in  these 
offices  to  ensure  systems  and  controls  are  in  place  and  operating  effectively.  It 
does  not  receive  independent  assurance  they  have  done  so.  Similar  to  the 
embassy  offices,  these  offices  should  provide  evidence  to  the  Ministry  that  they 
follow  applicable  GoA  IT  standards.  If  possible,  the  local  IT  companies  should 
be  contractually  required  to  provide  the  offices  and  the  Ministry  with  assurance 
that  the  systems  meet  GoA  IT  standards  and  that  the  controls  are  effective. 
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New  offices  also 
need  security 


Personal 
information  not 
protected 


GoA  policy  not 
followed 


The  Ministry  may  open  new  offices  in  other  countries.  Both  existing  and  new 
of  fices  need  IT  systems  that  meet  GoA  standards. 

c)    No  secure  transmission  of  information 

During  our  review  of  the  offices'  monthly  billing  processes,  we  noted  that 
personal  information  was  transferred  in  an  insecure  manner  between  the  offices 
and  the  Ministry.  For  example,  each  month,  financial  information — including 
personal  information  on  international  office  staff  salaries  and  bonuses — is 
transmitted  between  the  offices,  the  Ministry,  and  Service  Alberta  by  fax  or 
email.  The  Government  of  Alberta  Policy  for  the  Transmission  of  Personal 
Information  states  that  "any  documentation  or  records  containing  personal 
information  shall  not  be  transmitted  via  electronic  mail  or  facsimile  unless: 

•  personal  identifiers  have  been  removed,  or 

•  the  message  is  encrypted  in  such  a  manner  that  the  message  sender  and 
recipient  can  both  be  authenticated,  or 

•  other  means  are  employed  by  both  the  sending  and  receiving  parties  to 
ensure  confidentiality  is  maintained." 

The  current  processes  to  transfer  information  between  the  Ministry,  the  offices 
and  Service  Alberta  do  not  follow  this  GoA  Policy:  personal  identifiers  (names) 
are  not  removed,  emails  are  not  encrypted,  and  other  means  (follow-up  phone 
calls)  are  not  consistently  used  to  maintain  confidentiality. 


IT  systems  may 
be  unsecure 


Implications  and  risks  if  recommendation  not  implemented 

Without  assurance  that  the  international  offices  have  effective  systems  and 
controls  in  place,  information  they  collect,  store  and  transmit  may  not  be  secure. 
The  highest  risk  exists  in  the  three  offices  not  at  Canadian  embassies  as  they 
may  not  meet  government  IT  standards.  Since  the  international  offices'  staff  can 
connect  with  corporate  GoA  human  resource  or  financial  systems,  it  is  very 
important  that  they  have  controls  in  place  to  prevent  external  parties  from 
accessing  GoA  systems.  Also,  offices  may  have  confidential  information  on 
Alberta  businesses  in  their  systems:  it  must  also  be  protected  from  unauthorized 
access.  The  Ministry  is  not  aware  of  any  breaches  to  the  security  of  its  systems. 

Without  assurance  that  GoA  security  policies  are  followed,  further  concerns, 
such  as  personal  information  not  being  securely  transmitted,  may  exist  in  all  10 
offices. 


2.   Agreements  for  locally  engaged  staff— implemented 

terrnsPclarified  °Ur  2005 ~2006  AnnuaI  Report  (page  58) ,  we  recommended  that  the  Ministry 

of  Economic  Development  maintain  current  and  complete  arrangements  for 
staffing  at  its  international  offices.  The  Ministry  has  implemented  our 
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recommendation  by  clarifying  the  terms  of  compensation  for  locally  engaged 
staff. 

3.    Metis  Settlements  Ombudsman— implemented 

In  our  November  2006 Report  (No.  4 — page  21),  we  recommended  that  the 
Ministry  of  Aboriginal  Relations  review  how  it  handles  the  Metis  Settlements 
Ombudsman's  (MSO)  role. 

Ministry  set  up  jne  Ministry  implemented  our  recommendation  by  establishing  an  Office  of  the 

MSO  in  accordance  with  the  Metis  Settlements  Act  and  enacting  corresponding 
regulations.  The  Ministry  also  has  a  monitoring  process  to  support  and  maintain 
the  independence  of  the  Ombudsman's  role. 


Performance  reporting 

Financial  statements 

Unqualified  Our  auditor's  report  on  the  Ministry  of  International,  Intergovernmental  and 

au  itor  s  report      Aboriginal  Relations  financial  statements  for  the  year  ended  March  31 ,  2008  is 
unqualified. 

Performance  Measures 

No  exceptions       vVe  found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 
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Justice  and  Attorney  General 

Summary  of  our  recommendations 

The  Office  of  the  Public  Trustee,  Estates  and  Trusts  should  update  administrative 
policies  for  client  assets — see  below. 


Our  audit  findings  and  recommendations 

1 .    Office  of  the  Public  Trustee,  Estates  and  Trusts— Administrative  Policy 
Changes 
Recommendation 

We  recommend  that  the  Office  of  the  Public  Trustee,  Estates  and  Trusts 
update  administrative  policies  for  client  assets  by  ensuring  that  the  policy 
for: 

•  appraising  gems,  diamonds,  and  jewellery  specifies  what 
documentation  to  keep  in  trust  files  and  clearly  indicates  when  to 
appraise  non-diamond-like  jewellery. 

•  reimbursing  Dependent  Adult  travel  expenses  is  extended  to  Official 
Guardian  clients. 

•  valuing  personal  vehicles  for  Dependent  Adult  clients  specifies  how  to 
value  the  vehicles. 

Background 

Asset  control  xhe  Office  of  the  Public  Trustee,  Estates  and  Trusts  (OPT)  has  established 

policies  and  procedures  for  valuing  client  assets  and  reimbursing  client 
expenses.  These  policies  and  procedures  guide  trust  officers  and  other  OPT  staff 
administering  client  assets. 

The  policy  for  gems,  diamonds  and  jewellery  appraisal  requires  vault 
custodians  to  test  diamond-like  stones  to  verify  if  they  are  diamonds.  If  a  stone 
tests  positive  as  diamond,  an  appraisal  is  required.  The  testing  policy  is  limited 
to  diamond-like  stones. 

The  OPT  has  a  policy  for  reimbursing  travel  expenses  for  Dependent  Adult 
clients,  but  lacks  a  similar  policy  for  Official  Guardian  clients. 

The  policy  for  valuing  personal  vehicles  of  Dependent  Adult  clients  does  not 
specify  whether  to  value  vehicles  at  a  nominal  amount  or  at  fair  value. 
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Policies  should  be 
consistently 
applied  to  all 
client  files 


Criteria:  the  standards  we  used  for  our  audit 

Policies  for  valuing  client  assets  and  approving  and  reimbursing  client  expenses 
should  provide  sufficient  guidance  so  that  they  are  consistently  applied  to 
different  types  of  client  files. 


Our  audit  findings 

Testing  for  diamond-like  stones  was  done  but  test  results  were  not  included  in 
the  vault  inventory  listings.  We  did  not  find  evidence  that  vault  custodians 
communicated  positive  test  results  to  the  Trust  Office  so  appraisals  could  be 
arranged.  The  policy  for  appraising  gems,  diamonds  and  jewellery  indicated  the 
required  testing  for  diamonds  but  did  not  indicate  what  testing,  if  any,  to  do  on 
other  potentially  valuable  gems  and  jewellery. 

Travel  expenses  for  companions  of  Official  Guardian  clients  were  being 
reimbursed,  but  the  policy  lacks  guidelines  on  what  a  reasonable  travel  expense 
is. 

The  policy  for  valuing  personal  vehicles  of  Dependent  Adult  clients  conflicts 
with  the  Inventory  Valuation  Chart,  but  trust  officers  use  both  of  them.  The 
policy  requires  trust  officers  to  use  a  vehicle  evaluation  publication.  The 
Inventory  Valuation  chart  indicated  that  trust  officers  should  record  vehicles  at 
a  nominal  value. 


Client  trust  files 
subject  to  error 


Implications  and  risks  if  recommendation  not  implemented 

Client  assets  may  not  be  sufficiently  controlled  and  appropriately  recorded  in 
client  trust  files. 


Performance  reporting 

Financial  statements 

Our  auditor's  reports  on  the  financial  statements  for  the  year  ended  March  31,  2008 
of  the  Ministry  and  the  Office  of  the  Public  Trustee,  Estates  and  Trusts  are 
unqualified. 

Performance  measures 
No  exceptions        We  found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 


Unqualified 
auditor's  report 
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Legislative  Assembly 

Performance  reporting 

Financial  statements 

We  audited  the  financial  statements  of  all  six  Offices  of  the  Legislative  Assembly, 
except  our  own.  for  the  year  ended  March  31,  2008.  A  private  sector  firm  of 
chartered  accountants  appointed  by  the  Standing  Committee  on  Legislative  Offices 
audited  our  financial  statements.  The  Offices  include: 

•  Legislative  Assembly  Office 

•  Office  of  the  Auditor  General 

•  Office  of  the  Information  and  Privacy  Commissioner 

•  Office  of  the  Ombudsman 

•  Office  of  the  Chief  Electoral  Officer 

•  Office  of  the  Ethics  Commissioner 

Unqualified  Our  auditor's  reports  for  the  financial  statements  of  the  Offices'  of  the  Legislative 

auditor  s  reports      Assembly  for  the  year  ended  March  31,  2008  are  unqualified. 
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Municipal  Affairs  and  Housing 

Summary  of  our  recommendations 

The  Ministry  should  improve  reporting  and  accountability  of  ME  first!  grant  funds 
provided  to  municipalities  for  the  purposes  of  reducing  greenhouse  gas  emissions. 
For  the  full  report  on  climate  change — see  below. 

The  Ministry  should  assess  the  status  of  grant  funds  advanced  to  start  affordable 
housing  projects — see  page  336. 


Our  audit  findings  and  recommendations 

1 .    ME  first!  Program 

Recommendation  No.  37 

We  recommend  that  the  Department  of  Municipal  Affairs  assess  the  effect 
on  greenhouse  gas  emissions  of  the  energy  savings  that  resulted  from  the 
projects  funded  by  the  Department  s  ME  first!  Program  and  that  the 
Department  report  the  lessons  learned  from  this  program  to  the 
Departments  involved  in  creating  climate  change  programs. 

Background 

A  key  part  of  Alberta's  2002  Albertans  &  Climate  Change— Taking  Action 
plan  involved  the  Alberta  government  negotiating  agreements,  or  sector 
agreements,  with  specific  Alberta  industry  sectors  and  municipalities  to  set 
measurable  goals  for  reducing  greenhouse  gas  emissions.  The  ME  first! 
program  was  created  in  2003  by  Alberta  Municipal  Affairs  and  Alberta 
Environment  as  one  of  the  programs  to  fulfill  this  part  of  the  plan. 

ME  first!  was  a  four-year  (2003-2006),  interest-free  loan  program  designed  to 
help  municipalities  save  energy,  reduce  greenhouse  gas  emissions,  and  replace 
conventional  energy  sources  with  renewable  or  alternative  sources.  In 
November  2006,  the  Ministry  decided  to  end  the  program,  as  originally 
scheduled,  following  the  December  2006  application  cycle.  The  program  paid  a 
total  of  $38.8  million  in  interest-free  loans  to  71  municipalities  for  84  projects, 
at  a  program  cost  of  $5.0  million.  To  qualify  for  an  interest-free  loan, 
municipalities  had  to  indicate  how  a  project  would  save  energy.  Municipalities 
receiving  loans  had  to  complete  two  reports.  The  first  was  due  at  the  end  of  the 
project.  It  asked  the  municipality  to  confirm  that  the  interest-free  loan  was  spent 
on  the  project.  An  Energy  Reduction  Confirmation  Report  was  due  one  year 
after  project  completion.  It  asked  the  municipality  to  summarize  the  actual 


ME  first!  part  of 
the  response  to 
2002  Climate 
Change  plan 


$5  million  cost 

Municipalities 
supposed  to  report 
on  energy  savings 
achieved 
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Program's  results 
should  be  assessed 


Program's  actual 
energy  savings  not 
always  obtained 


2. 


50%  of  funds 
advanced  to 
recipient  before 
construction  starts 


energy  savings  achieved  by  the  project— through  either  fewer  kilowatts  per 
hour  of  electricity  or  gigajoules  of  fuel. 

Criteria:  the  standards  we  used  for  our  audit 

The  Department  should  have  a  system  in  place  to  monitor  required  reporting 
from  municipalities  so  it  can  assess  the  energy  savings  that  the  program 
actually  achieved. 

The  Department  should  assess  the  energy  savings  from  this  program  to  decide 
how  to  structure  other  climate-change  programs. 

Our  audit  findings 

We  reviewed  23  of  the  84  projects  funded  under  ME  first!  and  found  that  12 
municipalities  had  not  submitted  the  Energy  Reduction  Confirmation  Report. 
The  Department  had  not  followed  up  to  obtain  these  reports.  In  cases  where 
reports  were  received,  there  was  no  indication  that  the  information  was  used,  in 

any  way. 

The  Department  prepared  program-evaluation  reports  for  ME  first!,  which 
assessed  project  management,  the  application  process,  and  the  promotional 
strategy.  But  neither  report  assessed  the  cost-effectiveness  of  the  program  in 
reducing  emissions. 

Implications  and  risks  if  recommendation  not  implemented 

If  the  Department  does  not  fully  gather  the  actual  energy  savings  and 
emissions-reduction  data  for  ME  first!,  it  is  not  possible  to  know  the  extent  of 
the  contribution  the  program  made  to  help  Alberta  achieve  its  emissions- 
reduction  goals. 

Affordable  housing  advances 
Recommendation 

We  recommend  that  the  Ministry  of  Housing  and  Urban  Affairs  assess  the 
status  of  funds  advanced  to  grant  recipients  who  have  not  started  the 
construction  of  affordable  housing  projects. 

Background 

The  Ministry  of  Housing  and  Urban  Affairs  provides  grants  to  organizations  to 
construct  new  affordable  housing  projects.  The  Ministry  enters  into  a  grant 
agreement  with  each  organization  to  build  affordable  housing  projects.  The 
grant  funds  are  paid  to  the  recipient  as  follows: 
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•  50%  of  the  grant  upon  receipt  of  all  necessary  documentation  that  the 
approved  project  complies  with  all  municipal  bylaws  and  zoning  bylaws. 

•  40%  when  the  project  is  50%  complete. 

•  10%  when  the  project  is  complete. 

Our  audit  findings 

The  agreement  with  the  grant  recipient  requires  that  if  the  funds  are  not  used  for 
the  intended  purpose,  funding  must  be  returned  to  the  Ministry.  The  grant 
agreement  also  specifies  that  during  construction  of  an  approv  ed  project  the 
grant  recipient  will  provide  an  audited  statement  pertaining  to  the  use  of  the 
grant  monies.  However,  there  is  no  required  reporting  by  the  grant  recipient  for 
monies  advanced  where  construction  has  not  yet  started. 

Over  the  years,  funding  has  been  advanced  for  approved  projects  where 
construction  has  not  yet  started.  For  example,  between  2003-04  and  2005-06 
there  were  4  projects  where  $3.7  million  was  advanced,  but  construction  had 
not  started.  The  Ministry  requests  and  receives  information  on  the  reason  for 
these  project  delays,  but  does  not  require  confirmation  on  the  status  or  use  of 
funds  prior  to  construction. 

As  the  Department  does  not  require  accountability  reports  until  construction 
starts,  it  should  obtain  the  necessary  assurance  through  its  own  review  that  grant 
money  is  safeguarded  and  program  objectives  will  be  met. 

Implications  and  risks  if  recommendation  not  implemented 

Missed  opportunities — projects  that  could  be  completed  may  be  delayed.  Also, 
when  funding  is  advanced  before  the  start  of  construction,  the  risk  of 
misappropriation  of  grant  funds  is  increased. 

3.   Alberta  Social  Housing  Corporation 
3.1  Systems  for  selling  land  in  Fort  McMurray — follow  up  audit 
3.1.1  Summary 

In  2005,  we  audited  the  Alberta  Social  Housing  Corporation's  (the  Corporation) 
systems  used  to  sell  land  in  Fort  McMurray  as  well  as  its  land  sales  and  grants 
from  1999  to  October  2005.  Our  objective  was  to  assess  whether  the 
Corporation's  systems  for  the  sale  of  land  met  program  objectives.  In  our 
October  2005  public  report1,  we  made  two  recommendations  to  the  Corporation 
to  establish  a  long-term  plan  for  selling  land  in  Fort  McMurray  and  to  improve 
systems  used  to  sell  land. 


1  See  pages  21  and  26  of  our  Report  of  the  Auditor  General  on  Alberta  Social  Housing  Corporation— Land  Sales  Systems- 
October  2005. 
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Fort  McMurray's  population  in  2005  was  approximately  61,000,  and  is 
expected  to  reach  95,000  by  the  end  of  201 1. 2  Using  an  estimate  of  three 
persons  per  household,  this  translates  to  a  need  for  approximately  10,000  new 
housing  units.  Together  with  the  2006  housing  deficit  estimate  of  4,0003 
housing  units,  the  total  new  housing  units  required  by  2011  is  14,000. 

This  year,  our  follow-up  work  has  satisfied  us  that  management  has 
implemented  both  recommendations. 

Improving  systems  to  sell  land 

The  Corporation  improved  its  systems  for  selling  land  in  the  Fort  McMurray 
area  by  clearly  defining  its  objectives  and  establishing  a  request  for  proposal 
process  for  each  land  sale.  It  clearly  defined  the  terms  and  conditions  in  sales 
agreements  and  developed  processes  to  monitor  and  enforce  the  conditions  in 
the  agreements.  These  systems  were  used  when  the  Government  of  Alberta  sold 
Parcel  D  in  the  summer  of  2005  and  Parcel  F  in  the  spring  of  2006  for 
development.  These  two  parcels  of  land  are  expected  to  yield  a  total  of 
approximately  5,400  housing  units4. 

Long-term  planning 

The  government  has  established  a  plan  to  sell  land  in  Fort  McMurray.  The  Oil 
Sands  Sustainable  Development  Secretariat  (OSSDS)  created  the  Community 
Development  Plan  (CDP),  in  consultation  with  all  key  stakeholders,  to  deal  with 
the  immediate  and  medium-term  needs  for  housing  in  Fort  McMurray.  Planned 
developments  at  Saline  Creek  and  Parsons  Creek  are  expected  to  yield  another 
13,000  housing  units.  The  OSSDS  has  also  established  processes  to  implement 
and  monitor  progress  in  achieving  the  CDP. 

Since  the  plan  is  new,  it  will  take  some  time  to  see  if  it  meets  the  stated 
objectives.  We  will  audit  the  implementation  and  effectiveness  of  the  plan  in  the 
future. 

3.1.2    Our  audit  findings 

3.1 .2.1    Systems  for  selling  land— implemented 

The  Corporation  has  implemented  the  recommendation  by  improving  its 

systems  for  selling  land  and  using  this  system  for  selling  Parcels  D  and  F.  The 

Corporation  sold  Parcel  D  for  $18,496,000  ($50,000  per  acre)  and  Parcel  F  for 


3  Investing  in  our  Future:  Responding  to  the  Rapid  Growth  of  Oil  Sands  Development,  December  29,  2006,  pg  53 
Investing  in  our  Future:  Responding  to  the  Rapid  Growth  of  Oil  Sands  Development,  December  29,  2006,  pg  49 
Housing  units  include  duplexes,  townhouses,  condos,  single  family  lots,  ASHC  units,  and  multi-family  units. 
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$9,893,650  ($50,000  per  acre).  The  sale  of  Parcels  D  and  F  are  expected  to 
yield  a  total  of  approximately  5,400  housing  units. 

The  Corporation's  process  for  selling  Parcels  D  and  F  are  described  below: 

Sales  meet  the  Corporation's  objectives  and  the  province  gets  appropriate 
value  for  the  land — the  Corporation's  objectives  for  selling  land  are: 
development  timing,  involvement  of  local  stakeholders,  affordable  housing  and 
long  term  affordability.  These  objectives  were  clearly  defined  and  documented 
in  the  Request  for  Proposals  and  in  the  sales  agreements. 

The  selling  price  for  Parcels  D  and  F  of  $50,000  per  acre  is  representative  of 
normal  market  conditions  at  the  time,  with  other  cities  being  used  as  a 
comparison.  The  selling  price  was  fixed  to  ensure  that  the  housing  costs  in 
Fort  McMurray  are  not  further  increased  by  high  land  prices.  The  Corporation 
offered  developers  financing  terms  that  were  typical  for  land  sales.  The 
Corporation  included  adequate  conditions  in  the  land  sales  agreements  for 
Parcels  D  and  F  to  ensure  that  its  objectives  for  each  sale  would  be  met. 

Land  sales  agreements  are  received  and  approved— the  Corporation 
followed  a  comprehensive  process  to  review  and  approve  both  the  Request  for 
Proposals  and  land  sales  agreements  for  Parcels  D  and  F.  The  process  included 
the  involvement  of  a  RFP  Review  Committee  (the  Committee),  the 
Corporation's  Board  of  Directors  and  the  Corporation's  lawyers.  The 
Committee  assessed  the  submitted  proposals  against  predetermined  criteria  and 
recommended  the  top  proposal  for  approval  of  the  Corporation's  Board  of 
Directors  for  both  land  sales.  The  Corporation's  Board  of  Directors  approved 
the  land  sales  of  Parcels  D  and  F. 

Sale  agreements  clearly  outline  the  terms  and  conditions  of  the  sales — the 

land  sales  agreements  include  various  legal  and  financial  conditions  intended  to 
protect  the  Corporation  from  financial  loss,  default  or  potential  liability.  The 
terms  and  conditions,  if  complied  with,  help  to  ensure  the  Corporation's 
objectives  for  the  sale  will  be  met. 

Conditions  in  agreements  are  monitored  and  enforced — the  Corporation 
monitors  the  developer's  sale  of  lots  for  a  previous  land  sale  to  ensure  that  the 
developer  has  complied  with  the  sales  condition  to  sell  at  least  15%  of  all 
serviced  single-family  lots  created  to  local  builders  and  residents.  The  Parcel  D 
and  F  sales  agreements  include  several  sales  conditions  and  remedies  penalties 
for  non-compliance. 
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3.1.2.2   Establish  a  long-term  plan  for  selling  land  in  Fort  McMurray — 
implemented 

In  the  summer  of  2007,  the  Government  of  Alberta  created  the  Oil  Sands 
Sustainable  Development  Secretariat  (OSSDS)  to  deal  with  rapid  growth  issues 
in  the  oil  sands  regions  of  Alberta.  The  OSSDS  developed  the  Community 
Development  Plan  (CDP)  to  address  the  immediate  and  medium-term  needs  for 
housing  in  Fort  McMurray.  Cabinet  approved  the  CDP  and,  to  date, 
Treasury  Board  has  provided  $100  million  of  funding. 

The  CDP  proposes  two  areas  for  development  in  Fort  McMurray— the 
Parsons  Creek  area  and  the  Saline  Creek  area: 

•  The  Parsons  Creek  area  will  be  developed  using  a  traditional  model.  Land 
will  be  transferred  to  the  Corporation  who  in  turn  will  sell  the  land  to 
developers  as  market  conditions  dictate.  A  local  Community  Advisory 
Board  will  make  recommendations  to  government  regarding  the  overall 
development  plan  of  the  Parsons  Creek  land  parcel.  Net  proceeds  from  the 
sales  will  be  used  to  build  the  social  assets  (schools,  affordable  housing, 
recreational  facilities  etc.)  for  the  community. 

•  The  Saline  Creek  area  will  be  developed  through  an  alternative  capital 
financing  model  with  one  developer.  The  developer  could  bear  the  up  front 
social  asset  and  infrastructure  costs.  We  were  told  the  agreement  will  be 
structured  to  provide  the  developer  with  a  fair  return  while  keeping  lot 
prices  reasonable. 

We  were  told  that  proceeding  with  the  two  models  will  double  the  build-out  rate 
to  more  effectively  address  the  housing  shortage.  Development  on  these  lands 
should  start  in  2010  and  meet  the  housing  needs  to  about  2015/16.  These  lands 
will  house  greater  than  40,000  people  and  13,000  housing  units  by  2015. 

The  OSSDS,  working  with  the  Alternative  Capital  Financing  group  at  Treasury 
Board  and  the  Ministry  of  Housing  and  Urban  Affairs,  are  responsible  for 
implementing  the  CDP.  OSSDS  is  monitoring  implementation  of  the  plan  by: 

•  incorporating  the  plan's  strategies  into  ministry  business  and  operational 
plans. 

•  establishing  a  cross-government  committee  to  coordinate  government 
activity. 

•  hiring  of  staff  to  implement  and  monitor  the  plan. 

•  requesting  internal  audit  to  provide  assurance  on  the  implementation  of  the 
plan. 

In  our  previous  report,  we  outlined  several  areas  that  needed  to  be  considered  in 
the  plan.  Following  is  a  summary  of  how  these  areas  are  addressed  in  the  plan: 


Recommendation 
implemented 
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Consulting  with  the  Municipality    representatives  of  the  Municipality  were 
active  participants  in  the  development  of  the  CDP.  To  facilitate  the 
implementation  of  the  CDP,  the  OSSDS  has  established  a  cross-government 
committee.  Representatives  from  Municipality  are  on  this  committee  to 
communicate  the  needs  of  the  community. 

Timing  the  development — the  plan  calls  for  the  land  to  be  released  in  time  to 
prepare  it  for  development  and  to  build  the  offsite  infrastructure  by  2010.  This 
coordinates  with  the  anticipated  date  of  Parcels  D  and  F  being  fully  occupied. 

Offsite  infrastructure  and  servicing  costs — total  projected  expenditures  for 
the  two  parcels  of  land  will  be  approximately  $621  million — Parsons  Creek  will 
cost  $348  million  and  Saline  Creek  will  be  $273  million.  As  part  of  the  plan,  the 
province  will  assist  with  up-front  offsite  infrastructure  in  areas  that  are  normally 
a  municipal  responsibility.  The  provincial  government  will  be  responsible  for 
the  transportation  infrastructure  totalling  $521  million  and  the  Municipality  may 
contribute  a  portion  of  the  costs.  On-site  infrastructure  and  servicing  costs  will 
be  the  responsibility  of  the  developers. 

Meeting  housing  needs — proceeding  with  two  different  models  provides  a 
level  of  flexibility  to  meet  the  housing  market  conditions.  The  Saline  Creek  area 
will  be  developed  as  one  major  project.  However,  land  from  the  Parsons  Creek 
area  will  be  sold  by  the  Corporation  as  the  market  dictates. 

Coordinating  with  other  ministries — Although  OSSDS  prepared  the  CDP, 
numerous  ministries  and  the  Municipality  had  input  into  the  plan.  The 
ministries  included  Treasury  Board,  Transportation.  Municipal  Affairs, 
Infrastructure,  Housing  and  Urban  Affairs,  Sustainable  Resources 
Development,  Energy,  Finance  and  Justice.  These  ministries  will  contribute  to 
the  implementation  of  the  CDP. 

Assessing  the  impact  of  land  sales  on  existing  land,  lot  and  housing  prices— 

the  plan  considers  the  need  to  keep  land  prices  affordable.  The  simultaneous 
sale  and  different  approaches  to  development  of  both  parcels  of  land  will  assist 
in  meeting  the  market  demand  for  land  and  housing  in  the  area  The  Government 
of  Alberta  will  contribute  funding  for  its  portion  of  offsite  infrastructure 
expenses  to  reduce  the  cost  of  land. 


5  Regional  Municipality  of  Wood  Buffalo 
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Ensuring  resources  to  implement  the  plan — OSSDS  expects  that  the  required 
trades  personnel  will  be  available  to  meet  the  development  needs  and  timelines 
of  the  CDP.  The  development  of  Parsons  Creek  will  coincide  with  the 
completion  of  Parcels  D  and  F.  The  potential  private  sector  partners  for  the 
Saline  Creek  development  will  be  required  to  provide  trade  resources  to 
complete  the  project. 

3.2  Capital  Asset  Policy — recommendation  implemented 

Capital  asset  \n  our  2006-2007  Annual  Report  (vol.  2— page  1 37)  we  recommended  that  the 

policy  updated  Alberta  Social  Housing  Corporation  (Corporation)  develop  and  implement 

procedures  to  support  its  capitalization  policy,  and  document  and  communicate 
them.  The  Corporation  has  updated  their  capital  asset  policy  and  procedures  and 
communicated  its  policy  to  staff  responsible  for  following  this  policy. 


Unqualified 
auditor's  reports 


Performance  reporting 

Financial  statements 

Our  auditor's  reports  on  the  Ministry's,  Department's  and  the  Corporation's 
financial  statements  for  the  year  ended  March  31,  2008  are  unqualified. 


Our  auditor's  reports  for  the  year  ended  December  31,  2007,  on  the  following 
financial  statements  are  unqualified: 

•  Improvement  Districts  4,  9,  12,  13  and  24. 

•  Kananaskis  Improvement  District. 

•  Special  Areas  Trust  Account. 


Performance  measures 
No  exceptions        We-  found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 
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Unqualified 
auditor's  reports 


Non-compliance 
with  legislation 


No  exceptions 


Seniors  and  Community  Supports 

Performance  reporting 

Financial  statements 

Our  auditor's  reports  on  the  Ministry  and  Department  financial  statements  for  the 
year  ended  March  31.  2008  are  unqualified. 

Our  auditor  s  report  on  the  financial  statements  of  the  following  for  the  year  ended 
March  31.  2008  are  unqualified: 

•  Persons  with  Development  Disabilities  Northwest  Region  Board 

•  Persons  with  Development  Disabilities  Northeast  Region  Board 

•  Persons  with  Development  Disabilities  Edmonton  Region  Board 

•  Persons  with  Development  Disabilities  Central  Region  Board 

•  Persons  with  Development  Disabilities  Calgary  Region  Board 

•  Persons  with  Development  Disabilities  South  Region  Board 

Our  auditor's  report  on  the  financial  statements  of  the  Calgary  Region  Community 
Board  has  an  information  paragraph  reporting  that  expenses  include  payments  by  the 
Community  Board  for  services  to  individuals  whose  disability  did  not  meet  the  legal 
definition  of  a  developmental  disability.  The  Community  Board  provided  services  to 
individuals — and  funding  to  organizations — that  fall  outside  of  the  parameters  set  by 
the  Persons  with  Developmental  Disabilities  Community  Governance  Act. 

Performance  measures 

We  found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
performance  measures  in  the  Ministry's  2007-2008  Annual  Report. 
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Service  Alberta 

Summary  of  our  recommendations 

The  Ministry  of  Service  Alberta  should  consider  providing  internal  control 
assurance  to  its  client  ministries  on  its  centralized  processing  of  transactions — see 
below. 

The  Ministry  should: 

•  ensure  adequate  logging  and  monitoring  processes  are  in  place  in  all  application 
systems  that  host  or  support  financial  information  and  Albertans'  personal 
information — see  page  346. 

•  securely  store  void  or  cancelled  documents  with  confidential  information 
obtained  through  its  vital  statistics  services — see  page  348. 

•  document  its  review  of  actual  system-conversion  activities — see  page  349. 


Our  audit  findings  and  recommendations 

1 .    Service  Alberta's  role  as  a  central  processor  of  transactions 
Recommendation  No.  38 

We  recommend  that  the  Ministry  of  Service  Alberta  consider  providing 
internal  control  assurance  to  its  client  ministries  on  its  centralized 
processing  of  transactions. 

Background 

Service  Alberta  provides  centralized  processing  of  financial  transactions 
services  to  its  client  ministries.  Deputy  Ministers  and  Senior  Financial  Officers 
(SFO)  of  client  ministries  rely  on  Service  Alberta's  control  over  centralized 
processing.  They  expect  that: 

•  business  processes  are  well-documented  and  understood. 

•  adequate  risk  assessments  are  complete. 

•  controls  to  mitigate  identified  risks  are  designed,  implemented,  and 
operating  effectively. 

Service  Alberta  management  does  not  confirm  to  its  client  ministries  that  it  has 
met  these  responsibilities  under  the  service-level  agreements  it  has  with  them. 
Some  ministries  have  asked  Service  Alberta  to  provide  assurance  on  the  quality 
of  its  internal  control  over  its  centralized  processes  of  financial  transactions. 


Service  Alberta 
provides  service  to 
ministries 
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SA  should  give 
assurance  to 
ministries 


Ministries  should 
know  SA  controls 


Criteria:  the  standards  we  used  for  our  audit 

Service  Alberta  management  should  understand  its  service-delivery  processes, 
know  the  associated  risks,  and  have  controls  in  place  to  mitigate  them,  and 
provide  internal  control  assurance  to  its  client  ministries  on  its  centralized 
processing  of  financial  transactions. 

Client  ministries  should  understand  the  control  over  the  services  Service 
Alberta  provides  to  them. 


SA  gives  no 
assurance 


Ministries  assume 
controls  effective 
but  get  no 
assurance 


Our  audit  findings 

Service  Alberta  does  not  provide  assurance  on  its  centralized  processing  of 
transactions  to  its  client  ministries.  The  audit  work  currently  done  by  the  Office 
of  the  Auditor  General  to  support  our  opinions  on  ministries'  financial 
statements  is  not  designed  to  assess  all  business  risks  including  for  example,  the 
risk  of  misuse  of  employees'  personal  information  or  vendor  information. 

Deputy  Ministers  and  SFOs  of  client  ministries  do  not  sufficiently  understand 
the  controls  over  the  services  that  Service  Alberta  provides  to  them.  They 
receive  no  assurance  that  the  controls  are  operating  effectively— but  they 
operate  based  on  this  assumption. 


Implications  and  risks  if  recommendation  not  implemented 

Service  Alberta  and  its  client  ministries  cannot  mitigate  risks  cost  effectively  if 
the  client  ministries  do  not  understand  and  do  not  have  assurance  on  Service 
Alberta's  internal  controls  over  its  centralized  financial  processes. 

Access-  and  security-monitoring  of  application  systems 
Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta  ensure  adequate 
logging  and  monitoring  processes  are  in  place  in  all  application  systems 
that  host  or  support  financial  information  and  Albertans'  personal 
information. 


Server  log  files 
key  to  monitor 
traffic 


Central  location  to 
store  log  files 


Background 

Information  is  typically  protected  by  limiting  user  access.  Server  log  files,  if  set 
up  correctly,  provide  detailed  information  about  the  traffic  in  and  out  of  a  server 
or  an  application.  These  log  files  are  critical  information  sources  if  an  incident 
occurs  and  evidence  must  be  gathered  to  investigate  it. 

IT  security  best  practices  suggest  server  log  files  be  sent  from  the  source  servers 
or  network  devices  to  one  central  logging  repository  where  they  can  be 
correlated  and  reviewed  for  potential  security  breaches.  Once  the  log  files  are  at 
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a  central  location,  management  can  analyze  them  for  potential  attack  patterns  or 
security  breaches,  such  as: 

•  access  failures  from  internal  or  external  sources. 

•  failed  or  repeated  access  attempts. 

•  increased  user-account  privileges. 

•  server  failures,  including  restarts  and  reboots. 

•  traffic  increases  to  applications  or  servers. 

The  applications  used  by  Service  Alberta  match  these  best  practices  to  varying 
degrees.  Protection  of  sensitive  information  is  important,  and  adopting  best 
practices  would  help  support  teams  catch  unauthorized  activities  and  prevent 
confidential  information  from  being  compromised. 

Criteria:  the  standards  we  used  for  our  audit 

Monitoring  and  Service  Alberta  should  have  processes  in  place  to  monitor  and  log  security  and 

logging  needed  .  ,  . . 

65  5  access  violations. 


Log  files  not  in 
secure  central 
location 


Service  Alberta 
plans  to  improve 
monitoring  of  user 
activities  in  ALTA 


No  monitoring  of 
system  activities 


Our  audit  findings 

Service  Alberta  reviews  modifications  to  the  Motor  Vehicles  System  (MOVES) 
and  matches  them  with  supporting  documentation.  But  it  keeps  the  log  in 
MOVES  instead  of  in  a  secure  central  repository. 

Service  Alberta's  vital  statistics  division  has  28  users  with  full  access  to  all 
Vital  Statistics  System  (VISTAS)  modules.  These  users  can  access  and  change 
sensitive  and  confidential  personal  information.  Their  activities  are  logged  in 
VISTAS,  instead  of  a  secure  central  repository.  Service  Alberta  could  review 
users'  activities,  but  it  does  not  do  so  regularly. 

Service  Alberta  tracks  the  transaction  history  of  the  Alberta  Land  Titles 
Application  (ALTA),  and  uploads  the  history  daily  to  a  separate  application  for 
reporting  and  review  purposes.  In  developing  the  next  version  of  ALTA. 
management  plans  to  improve  monitoring  of  users'  activity  logs  by 
incorporating  automated  process  to  flag  unusual  activities  for  investigation. 

Service  Alberta  tracks  and  monitors  transaction  activities  in  the  Corporate 
Registries  System  (CORES).  It  tracks— but  does  not  monitor— system 
activities,  such  as  changes  to  users'  access  rights  and  privileges. 

Service  Alberta  could  review  activities  of  particular  accounts  in  the  Alberta 
Personal  Property  Registry  Electronic  System  (APPRES).  But  it  does  not  do  so 
regularly. 
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Implications  and  risks  if  recommendation  not  implemented 

Service  Alberta  will  not  be  able  to  detect  possible  intrusions  to  its  critical 
information  systems. 

Information  can  be  tampered  with  if  log  files  are  not  kept  in  a  secure  central 
repository. 

3.    Secure  storage  for  confidential  information  of  Albertans 
Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta  securely  store  void  or 
cancelled  documents  with  confidential  information  obtained  through  its 
vital  statistics  services. 


Service  Alberta 
processes 
confidential  vital 
statistics 


Background 

Registry  agencies  receive  requests  to  cancel  services  previously  requested  by 
Albertans.  The  agencies  send  the  void  or  cancelled  marriage  licences  and 
applications  for  birth,  marriage  and  death  certificates,  together  with  the 
"Request  for  Cancelling  a  Service"  forms,  to  Service  Alberta  for  processing  in 
VISTAS  and  IMAGIS. 


Documents 
archived  for  seven 
years,  then 
destroyed 


When  Service  Alberta  receives  these  documents  and  the  void  or  cancelled 
certificates,  it  reviews  and  approves  the  cancellation  requests  before  entering 
the  cancellations  in  VISTAS  and  IMAGIS.  Service  Alberta  keeps  the  void  or 
cancelled  certificates  for  one  year  before  sending  them  for  archiving  at  a 
government  storage  site.  The  archived  documents  are  kept  at  the  site  for  seven 
years  and  then  destroyed. 


Secure  storage 
necessary 


Criteria:  the  standards  we  used  for  our  audit 

All  void  or  cancelled  documents  that  contain  Albertans'  confidential  personal 
information  should  be  stored  securely. 


Confidential 
information  not 
stored  securely 


Our  audit  findings 

The  void  or  cancelled  certificates  are  not  securely  stored  while  they  are  at 
Service  Alberta.  They  were  kept  in  a  box  under  an  employee's  desk.  Although 
Service  Alberta's  premises  are  not  accessible  to  the  public,  the  information 
should  be  kept  in  a  locked  facility  to  avoid  unnecessary  exposure. 


Implications  and  risks  if  recommendation  not  implemented 

Identity  theft  could  result  if  confidential  information  is  not  securely  stored. 
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4.    System-conversion  process 
Recommendation 

We  recommend  that  the  Ministry  of  Service  Alberta  document  its  review  of 
actual  system-conversion  activities  to  ensure  that  they  comply  with  the 
approved  test  plan  for  system  conversion  and  data  migration. 


Conversion  of 
personal  property 
registration  system 


Background 

Effective  December  I,  2007,  Service  Alberta  converted  the  data  originally 
captured  in  the  former  Personal  Property  Information  System  (PERPIS)  to  the 
new  Alberta  Personal  Property  Registry  Electronic  System  (APPRES). 


What  we  did: 
reviews  and 
interviews 


We  reviewed  the  APPRES  requirements  documents  and  Service  Alberta's 
testing  methodologies  for  data  migration  from  PERPIS  to  APPRES.  We 
interviewed  key  Service  Alberta  management  to  understand  the  process  used  to 
test  the  reporting  capabilities  of  APPRES  and  how  the  functionality  of  PERPIS 
was  mirrored  and  improved  in  APPRES.  We  also  reviewed  the  post- 
implementation  problem-reporting  procedures,  and  focused  on  how  Service 
Alberta's  post-implementation  team  reported  potential  problems  with  APPRES 
and  how  they  were  resolved. 


Data-conversion 
plan  and  test  plan 

Reconciliations 
Audit  trail 


Analysis  for 
lessons  learned 


Criteria:  the  standards  we  used  for  our  audit 

Service  Alberta  should: 

•  document  a  detailed  data-conversion  plan  and  a  test  plan  and  have  them 
approved  by  an  appropriate  level  of  management. 

•  perform  reconciliations  to  ensure  that  the  data  transferred  is  accurate  and 
complete. 

•  create  an  audit  trail  to  prove  that  actual  conversion  activities  followed  the 
approved  test  plan,  or  that  any  deviation  has  been  properly  supported  and 
documented. 

•  perform  a  post-implementation  analysis  to  ensure  that  lessons  learned  can 
be  applied  to  future  data  conversions. 


Not  clear  if  test 
plan  followed 


Our  audit  findings 

The  migration  procedures  were  documented  and  provided  detailed  steps 
including  expected  results  for  each  test  procedure.  Of  the  50  test  cases 
reviewed,  the  expected  results  for  24  test  cases  were  not  checked  and  signed  by 
the  test  team  member.  There  is  no  clear  indication  that  the  test  plan  steps  were 
followed  and  there  were  no  signatures  confirming  the  test  results  achieved  or 
the  steps  followed. 


Service  Alberta  did  conduct  post  implementation  reviews  on  the  APPRES 
application  and  formally  tracked  all  application  and  conversion  issues  to 
resolution. 
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Data  conversion 
may  be  inaccurate 


Government 

reorganization 

made 

recommendation 
irrelevant 


Implications  and  risks  if  recommendation  not  implemented 

Failing  to  follow  the  approved  test  plan  could  result  in  incomplete  or  inaccurate 
data  conversion  from  the  former  system  to  the  new  one. 

Managing  for  results — changed  circumstances 
In  our  November  2004  management  letter  to  the  former  Ministry  of 
Government  Services,  we  recommended  that  the  Ministry  improve  its  processes 
for  human  resources,  operations,  and  business  planning. 

In  our  2004-2005  Annual  Report  (page  214),  we  reported  satisfactory  progress 
on  these  recommendations.  In  the  November  2005  government  reorganization, 
the  former  Ministry  of  Government  Services  and  the  former  Ministry  of 
Restructuring  and  Government  Efficiency  merged  to  become  the  Ministry  of 
Service  Alberta.  We  will  not  track  these  performance-reporting 
recommendations  any  further,  as  they  are  not  relevant  due  to  significant 
organizational  changes.  We  will  consider  doing  future  audits  of  performance- 
reporting  systems  as  we  develop  our  annual  plans  for  systems  audits. 


Performance  reporting 

Financial  statements 

Our  auditor's  report  on  the  Ministry  financial  statements  for  the  year  ended 
March  31.  2008  is  unqualified. 

Our  auditor's  reports  are  unqualified  on  the  financial  statements  of  the  following 
employee  benefit  plans: 

•  Long  Term  Disability  Income  Continuance  Plan — Bargaining  Unit  and  Long 
Term  Disability  Income  Continuance  Plan— Management,  Opted  Out  and 
Excluded  for  the  year  ended  March  31,  2008. 

•  Government  of  Alberta  Dental  Plan  Trust  for  the  year  ended 
December  31,  2007. 

•  Government  Employees'  Group  Extended  Medical  Benefits  Plan  Trust  for  the 
year  ended  December  31,  2007. 

Performance  measures 
No  exceptions        We  found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 


Unqualified 
auditor's  reports 
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Solicitor  General  and  Ministry  of 
Public  Security 

Summary  of  our  recommendations 

The  Department  should  implement  an  information  technology  control  framework- 
see  page  5 1 

The  Alberta  Gaming  and  Liquor  Commission  (AGLC)  should: 

•  develop  an  IT  control  framework — see  page  5 1 

•  design  and  implement  a  comprehensive  change  management  policy  and  ensure 
change  management  controls  are  consistently  followed  throughout  the 
organization — see  section  2  below. 


Our  audit  findings  and  recommendations 

1.    Provincial  policing  standards— implemented 

In  our  2002-2003  Annual  Report  (No.  40 — page  272),  we  recommended  that 
the  Department  implement  the  plan  for  provincial  policing  standards. 


Policing  standards 
established 


Compliance 

program 

developed 


The  Department  fully  implemented  the  recommendation  by: 

•  establishing  provincial  standards  for  adequate  and  effective  policing,  and 
issuing  a  policing-standards  manual  to  all  police  agencies  in  Alberta. 

•  developing  a  compliance-review  program  and  scheduling  site  audits  at 
police  agencies  to  confirm  compliance  with  the  standards. 

•  completing  compliance  reviews  at  8  of  the  12  police  agencies  that  provide 
policing  services  to  about  99%  of  Albertans. 

•  scheduling  dates  to  finish  reviews  at  the  remaining  4  police  agencies  and 
developing  plans  for  the  next  cycle  of  compliance  reviews. 


2.   Alberta  Gaming  and  Liquor  Commission  (AGLC) 
2.1  AGLC  IT  change  management 
Recommendation 

We  recommend  that  the  Alberta  Gaming  &  Liquor  Commission  (AGLC) 
design  and  implement  a  comprehensive  IT  change-management  policy  with 
well-designed,  efficient,  and  effective  control  processes.  We  further 
recommend  that  AGLC  ensure  that  their  change-management  controls  are 
consistently  followed  throughout  the  organization. 
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Justification  for 
good  change 
management 
processes 


Background 

Change  management  is  a  cornerstone  required  to  rely  on  the  availability, 
completeness,  accuracy  and  validity  of  accounting  and  business  critical 
systems.  Change-management  control  processes  ensure  that  all  changes  to  all 
information  systems  are  appropriate,  do  not  cause  security  problems,  and  meet 
user  needs.  Change-management  control  processes  also  ensure  that  the 
applications  and  systems  work  the  way  they  are  intended  to  and  that 
information  in  the  system  or  application  is  available  when  needed  and  is  reliable 
for  financial-reporting  purposes. 


Criteria:  the  standards  we  used  for  our  audit 

The  AGLC  Information  Systems  (IS)  group  should  have  a  well-designed, 
efficient,  and  effective  organization-wide  change-management  process.  The 
change-management  process  should  ensure  that: 

•  all  changes  are  properly  requested,  developed,  tested,  and  approved. 

•  all  changes — including  emergency  changes — follow  the  organization  wide 
change-management  process. 

•  there  is  a  segregation  of  duties  between  developing,  approving  and 
implementing  changes  for  the  production  environments. 


Inconsistent 
change 
management 
processes.  Some 
are  informal. 


Guidelines  exist 
but  no  evidence 
showing 
consistently 
followed 


Our  audit  findings 

AGLC  IS  does  not  have  a  change-management  process  that  is  consistently 
followed  throughout  the  organization.  We  observed  that  one  of  the  four  teams 
within  IS — Application  Development — had  documented  guidelines  for  change- 
management  including  segregation  of  duties  when  making  changes  so  that  one 
person  cannot  circumvent  the  change  management  process.  The  other  three 
teams  within  IS  follow  informal  change-management  procedures.  And,  it  was 
difficult  to  obtain  evidence  that  these  informal  change-management  processes 
were  consistently  followed  or  operated  effectively  throughout  the  organization. 

The  Application  Development  team's  change-management  guidelines  were  well 
designed.  However,  we  were  unable  to  obtain  evidence  that  all  changes  made 
by  the  Application  Development  team  consistently  follow  the  documented 
guidelines 


Implications  and  risks  if  recommendation  not  implemented 

Without  well  designed  change  management  processes  that  are  consistently 
followed  throughout  the  organization,  unauthorized  changes  to  data  in  financial 
or  business  systems  may  not  be  detected.  In  addition,  confidential  financial  or 
business  information  may  be  used,  modified  or  disclosed  in  a  way  that  leads  to 
fraud,  loss  of  money,  or  loss  of  reputation. 
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2.2  AGLC  Contract  management — implemented 

On  pages  131-133  of  our  2002-2003  Annual  Report,  we  recommended  thai 
AGLC  strengthen  its  contract-management  practices.  In  our  2005-2006  Annual 
Report,  we  reported  that  AGLC  had  made  satisfactory  progress  by  improving  its 
contracting  practices.  It  had  developed,  approved  and  Implemented  revised 
contracting  policies,  including  standard  contract  templates,  contract  summary 
sheets,  contract  summary  documents,  and  documentation  of  contractor  conflicts 
of  interest.  AGLC  had  not  finished  implementing  three  parts  of  the 
recommendation,  which  we  assessed  again  this  year. 

AGLC  fully  implemented  the  recommendation  by: 

•  establishing  more  comprehensive  contracting  policies — refining  operating 
procedures,  setting  standards  for  documentation  (including  business  cases), 
and  establishing  performance  benchmarks  in  contracts. 

•  improving  processes  to  monitor  contractors  through  inspections,  reviews  of 
contractor  reporting,  approvals  of  payments  only  after  contract  conditions 
have  been  met,  and  tracking  and  regular  monitoring  of  key  deliverables 
specified  in  contracts. 

•  strengthening  the  process  for  timely  signing  of  contracts  and  documenting 
the  business  reasons  for  signing  contracts  after  services  start. 


Performance  reporting 

Financial  statements 

Our  auditor's  reports  on  the  financial  statements  of  the  Ministry,  the  Department,  the 
Victims  of  Crime  Fund,  the  Alberta  Gaming  and  Liquor  Commission,  and  the 
Alberta  Lottery  Fund  for  the  year  ending  March  31,  2008  are  unqualified. 

Performance  reporting 

No  exceptions        We  found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry  and  Alberta  Gaming  and  Liquor  Commission's  performance  measures. 


Progress,  but  three 
parts  outstanding 


Several  practices 
improved 


Unqualified 
auditor's  reports 
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Sustainable  Resource  Development 

Summary  of  our  recommendations 

The  Ministry  should  put  processes  in  place  to  allow  significant  revenues  currently 
recorded  when  cash  is  received  to  be  recorded  when  revenue  is  due  to  the  Crown- 
see  below. 

With  respect  to  management  of  sand  and  gravel  resources,  the  Department  needs  to 
improve  monitoring  and  enforcement  of  operators'  legal  obligations,  to  assess 
current  royalty  rates,  and  to  use  its  information  more  effectively — see  page  356. 


Our  audit  findings  and  recommendations 

1 .    Controls  over  revenue 
Recommendation  No.  39 

We  recommend  that  the  Department  of  Sustainable  Resource  Development 
put  processes  in  place  to  allow  significant  revenues  currently  recorded 
when  cash  is  received  to  be  recorded  when  revenue  is  due  to  the  Crown. 


Background 

In  2008,  the  Ministry  recorded  approximately  $200  million  of  revenue.  Revenue 
for  the  Ministry  comes  primarily  from  transfers  from  the  Government  of 
Canada,  Timber  Royalties  and  Fees,  Land  and  Grazing  Fees,  and  Fish  and 
Wildlife  licenses.  Land  and  grazing  fees  include  fees  for  sand  and  gravel  usage 
and  other  land  disturbance  fees. 


Some  revenue  is  The  amount  of  usage  in  calculating  timber  royalties,  sand  and  gravel  fees  and 

companies  ^  omer  'anc*  disturbance  fees  *s  self  assessed  by  the  companies. 


A  disturbance  fee  is  charged  for  oil  sands  mines,  once  land  is  disturbed,  based 
on  a  fee  of  $200  per  acre  for  each  acre  actually  disturbed.  This  is  a  one  time 
charge  that  is  paid  over  the  life  of  the  mine  (up  to  25  years)  as  disturbance 
occurs.  The  Ministry  has  approved  dispositions  for  13  oil  sands  mines 
amounting  to  approximately  208,000  acres. 

In  the  accrual  basis  of  accounting,  revenues  and  expenses  are  reflected  in  the 
determination  of  results  for  the  period  in  which  they  are  considered  to  have 
been  earned  and  incurred,  respectively,  whether  or  not  such  transactions  have 
been  settled  finally  by  the  receipt  or  payment  of  cash  or  its  equivalent. 
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In  the  cash  basis  of  accounting,  revenue  is  recorded  when  received. 
Criteria:  the  standards  we  used  for  our  audit 

Controls  over  revenue  should  ensure  revenue  is  completely  and  accurately 

recorded. 

Our  audit  findings 

As  indicated  in  the  findings  in  our  sand  and  gravel  audit  (see  section  2  below), 
the  Ministry  lacks  a  control  to  ensure  that  all  revenues  from  usage  of  sand  and 
gravel  are  completely  recorded. 

The  Ministry  also  reports  surface  disturbance  charges  for  mineral  surface  leases 
on  a  cash  basis.  For  12  of  the  mines,  the  Ministry  is  at  least  one  year  behind  in 
reviewing  the  self  assessment  reports.  In  the  case  of  the  largest  mine,  the 
Ministry  reported  to  us  that  they  needed  to  review  documentation  with  the 
company  back  to  1990  and  was  unable  to  provide  an  estimate  of  how  much 
money  is  owed  by  the  company. 

Implications  and  risks  if  recommendation  not  implemented 

The  Ministry  may  not  bill  and  correctly  record  all  the  revenue  it  is  entitled  to. 
The  Ministry  may  also  not  be  able  to  fully  collect  the  revenue  earned  in  the  year 
because  the  limitation  period  for  enforcement  as  per  the  Limitations  Act  may 
have  expired. 

Management  of  sand  and  gravel  resources 
Summary 

What  we  examined 

Alberta  communities  are  growing  and  with  them  is  the  demand  for  sand  and 
gravel.  The  Department  of  Sustainable  Resource  Development  (SRD)  manages 
this  natural  resource  for  Albertans  by  administering  access  to  public  lands  for 
sand  and  gravel  extraction.  We  assessed  whether  the  Department  has  effective 
systems  to  allocate  and  collect  royalties  for  this  resource  and  ensure  responsible 
environmental  stewardship  of  public  lands. 

Why  this  is  important  to  Albertans 

Alberta's  sand  and  gravel  play  a  vital  role  in  virtually  every  aspect  of  the 
construction  industry.  Currently,  active  gravel  leases  in  Alberta  cover 
approximately  160.000  acres1.  The  steward  of  this  resource  should  be  held 
accountable  for: 


1  406  commercial  operators  are  working  on  1,016  leases  totalling  160,000  acres. 


2. 
2.1 

How  are  resources 
allocated,  royalties 
collected  and  land 
reclaimed 
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Protect 

environment  and 
collect  fair 
royalties 


SRD  cannot 
confirm  all 
operators  have 
fulfilled  their 
obligations 


Royalties 
unchanged  since 
1991 


Better 

management  of 
resources  needed 


1 .  ensuring  reclamation  of  the  land 

2.  obtaining  fair  royalties 

3.  effectively  using  department  information 

What  we  found 

•  SRD  is  behind,  in  some  cases  up  to  20  years,  with  environmental 
inspections.  SRD  has  not  confirmed  the  area  disturbed  or  reclamation 
status  of  approximately  240,000  acres  of  land  which  has  been  explored  and 
5.000  acres  of  inactive  holdings 

•  there  are  few  consequences  to  operators  for  not  fulfilling  their 
environmental  or  legal  obligations.  It  is  potentially  less  expensive  for  an 
operator  to  abandon  a  security  deposit  than  to  reclaim  land  damaged  by 
aggregate  extraction 

•  operators  that  are  non-compliant  with  environmental  requirements  can 
nevertheless  be  awarded  new  aggregate  holdings  on  other  public  land 

•  royalty  rates  have  not  been  changed  since  1991  and  are  based  on  amounts 
reported  by  industry  without  verification 

What  needs  to  be  done 

While  a  new  policy  is  guiding  allocations  and  SRD  is  working  to  improve  its 
management  of  aggregate  resources,  we  make  five  recommendations  to  deal 
with: 

•  monitoring  and  enforcement  of  operators'  legal  obligations. 

•  the  current  royalty  structure. 

•  information  management. 


Royalty  revenue 
increased  54%  in 
three  years 


2.2  Background 

The  aggregate  industry 

The  sand  and  gravel  industry  has  benefited  from  Alberta's  growth.  Commercial 
sand  and  gravel  operators  paid  over  $8.2  million  in  royalties  to  Albertans  in 
2006-2007,  an  increase  of  54%  since  2003-2004.  Royalty  rates4  did  not 
change — the  increase  in  revenue  is  due  to  an  increase  in  extracted  volumes. 

At  the  end  of  2007,  405  companies  held  1,016  active  sand  and  gravel  holdings 
occupying  about  160,000  acres  of  public  land.  Industry  reported  extracting 
1 1.4  million  tons  of  aggregate  from  these  aggregate  holdings  during  2007. 


1  The  total  area  of  a  disposition  may  not  be  disturbed,  for  example,  explorations  typically  have  many  small  holes  over  a  large 
area  or  only  20  acres  of  a  60-acre  lease  may  be  mined. 

'  The  terms  holding,  disposition,  lease  and  allocation  mean  the  agreement  between  the  Crown  and  a  private  operator 
permitting  removal  of  aggregate  from  Crown  land  for  commercial  gain. 
Currently  $0.75  per  ton. 
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Economic  impact 
hard  to  measure 


It  is  difficult  to  determine  the  financial  impact  of  the  aggregate  industry  on 
Alberta's  economy  because  end-product  costs  vary  widely.  For  example,  a  ton 
of  crushed  gravel  may  cost  $60  in  one  Alberta  market  and  $5  in  another.  A 
senior  board  member  of  the  Alberta  Sand  and  Gravel  Association  estimated  for 
the  total  annual  economic  activity  of  commercial  sand  and  gravel  operations  at 
about  $2  billion. 


Full  extent  of 
deposits  unknown 


Access  to  aggregate  affects  the  cost  of  construction  and  demand  has  been 
increasing  steadily  over  the  past  five  years.  Understanding  supply  and  its 
location  is  important  for  long-term  land  use  and  infrastructure  planning. 
Aggregate  holdings  are  getting  bigger,  rail  transport  is  becoming  more  common 
and  distances  once  considered  cost  prohibitive  are  becoming  economically 
feasible. 


Growth  led  to 
policy  revision 


Maximum  size  of 
an  exclusive 
holding  doubled 


Gaining  access  to 
sand  and  gravel 


Allocating  aggregate  resources 

As  demand  grew,  the  aggregate  industry  requested  SRD  to  approve  larger 
aggregate  holdings,  closer  to  their  markets.  Traditionally,  industry  considered 
40  acres  sufficient  for  profitable  operations.  Larger  holdings  were  limited  to 
public  works  projects  or  industry  specific  uses  such  as  oil  sands  development. 
Large  holdings  close  to  markets  are  advantageous  because  hauling  gravel 
represents  the  majority  of  its  cost  and  the  economies  of  scale  are  better.  SRD 
began  to  grant  larger  aggregate  holdings  on  an  individual  basis  and  complaints 
from  industry  subsequently  arose  about  perceived  allocation  imbalances. 

SRD  revised  its  sand  and  gravel  allocation  policy  in  June  2006.  The  new  policy 
doubled  the  size  of  allocations  on  a  first  come  first  serve  basis,  allowing  an 
operator  to  explore  and  apply  for  holdings  of  up  to  80  acres  without 
competition.  Holdings  over  80  acres  became  subject  to  a  bonus  bid  process 
wherein  industry  bids  for  the  right  to  obtain  large  holdings  on  lands  with  known 
aggregate  deposits.  To  March  31,  2008,  a  bonus  bid  process  had  not  occurred. 

One  way  to  access  small  amounts  of  sand  and  gravel  on  public  land  is  at  a 
public  pit.  Public  pits  supply  aggregate  to  anyone  who  is  willing  to  pay  the 
royalty  and  is  capable  of  removing  the  material.  Alberta  has  64  public  pits, 
generally  less  than  5  acres  in  size.  Albertans  purchase  access  through  a  local 
field  office.  There  are  3  large  public  pits,  exceeding  200  acres  intended  for 
broader  industrial  use.  SRD  manages  these  through  contractors  who  won  a 
tendering  process.  We  did  not  audit  public  pit  operations. 


Aggregate  extraction 

To  gain  exclusive  right-to-use  to  extract  aggregate  from  public  land,  an  operator 
needs  to  obtain  a  Surface  Material  Exploration  (SME)  authorizing  access  to  up 
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Surface  Material 
Lease  required  to 
access  gravel 


Commercial 
operators  must  pay 
royalties  and 
reclaim 


to  320  acres  for  6  months.  The  purpose  is  to  estimate  the  quantity  of  aggregate 
available  and  define  working  parameters  such  as  overburden  depth  and 
groundwater  levels.  The  information  gathered  is  mandatory  for  all  holdings  and 
critical  in  the  development  of  a  Conservation  and  Reclamation  Business  Plan. 
SRD  does  not  require  verification  of  the  exploration  results. 

Successful  exploration  leads  to  an  application  for  a  Surface  Material  Lease 
(SML).  Designed  for  long-term  resource  development  and  management,  SMLs 
last  for  10  years  and  are  renewable.  SMLs  allow  exclusive  access  to  a 
maximum  of  80  acres  and  have  terms  and  conditions  such  as  progressive 
reclamation  .  For  smaller  deposits,  operators  may  seek  a  Surface  Material 
License  (SMC).  Granting  approval  for  a  specified  amount  of  aggregate,  SMCs 
last  one  year  and  are  for  a  maximum  size  of  5  acres.  In  all  cases  where 
aggregate  resources  are  extracted  for  commercial  purposes,  security  deposits 
and  royalty  fees  are  payable  and  reclamation  is  required. 


One  group 
administers  sand 
and  gravel 
resources 


Administration 

SRD's  Major  Industrial  and  Aggregates  Unit  (MIAU)  administers  Alberta's 
aggregate  resources  pursuant  to  legislation,  regulations,  policies  and  procedures. 
They  communicate  all  requirements  and  obligations  through  publicly  available 
forms,  manuals,  consultation  and  agreements. 

Applicants  are  required  to  submit  a  statutory  declaration  identifying  all 
aggregate  holdings  within  a  six-mile  radius  of  the  one  for  which  they  are 
applying.  SRD  will  not  approve  adjacent  allocations  unless  they  are  less  than 
80  acres  combined,  or  the  applicant  can  prove  that  they  are  for  different  markets 
-  for  example  traversed  by  a  river  and  supplying  markets  in  opposite  directions. 
Proximity  to  market  is  a  major  factor  in  the  cost  of  aggregate  and  this  is  a  way 
to  promote  equitable  access  to  viable  deposits. 


Applications  are 
reviewed  by 
several  agencies 


These  agencies  review  applications  for  aggregate  holdings: 
SRD  Rangeland  Management  Branch 
SRD  Integrated  Land  Management  Branch 
SRD  Fish  and  Wildlife  Division 
Alberta  Environment  Water  Management  Branch 
Culture  and  Community  Spirit 
Alberta  Transportation 
Municipality  Development  Office 


5  Progressive  reclamation  means  bringing  the  land  back  to  its  original  state  as  the  project  progresses  -  effectively  "cleaning 
up  as  you  go  along". 
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Application  reviews  ensure  the  land  requested  is  free  of  encumbrances  and 
assigns  operating  conditions  to  the  aggregate  holding.  For  example,  the 
condition  "Utilize  only  existing  road  or  bridge  crossings  to  gain  vehicular 
access  across  any  watercourse"  supports  an  objective  to  manage  the  number  of 
roads  and  bridges  in  an  area.  Field  conditions  are  consolidated  into  the  final 
agreement. 

New  SRD  policy  requires  applicants  to  detail  their  business  and  environmental 
planning  in  a  Conservation  and  Reclamation  Business  Plan  (CRBP).  The  CRBP 
enables  better  application  evaluations  and  the  development  of  more  complete 
forecasts  of  proposed  activities.  It  strengthens  SRD's  ability  to  effectively 
manage  resources  and  ensure  operators  are  knowledgeable  of,  and  have  planned 
for.  their  legal  obligations. 

SRD  has  an  established  an  appeal  process  for  handling  complaints.  It  covers 
three  levels  of  administration  and  the  results  are  binding.  We  saw  evidence  of 
only  three  appeals  made  using  the  formal  process  between  2002  and  2008,  and 
were  told  that  most  issues  are  resolved  through  informal  processes,  such  as 
contact  with  the  Department. 

The  new  policy  demonstrates  that  SRD  has  responded  to  industry  concerns  and 
recognizes  the  need  for  continuous  improvement.  SRD  has  not  yet  completed  a 
post-implementation  review  because  the  policy  is  less  than  two  years  old  and  it 
has  been  busy  educating  industry,  processing  applications  and  undertaking  a 
focused  review  of  holdings  under  renewal. 

2.3.  Our  audit  findings  and  recommendations 
2.3.1  Enforcement  of  reclamation  obligations 
®=T?         Recommendation  No.  40 

We  recommend  that  the  Department  of  Sustainable  Resource  Development 
improve  processes  for  inspecting  aggregate  holdings  on  public  land  and 
enforcing  land  reclamation  requirements. 

Background 

This  year  the  Major  Industrial  and  Aggregates  Unit  is  undertaking  an  inspection 
program  of  232  leases  up  for  renewal  between  2008  and  2010  to  assess  operator 
compliance.  They  are  also  conducting  a  file  review  of  expired  leases  that  have 
not  been  closed  or  renewed. 

SRD  is  developing  the  Land  Management  Inspection  Protocol  (LMIP),  to 
inspect  dispositions  to  all  land  use  industries  including  energy,  surface  material 
and  recreation.  SRD  acknowledges  that  not  every  disposition  of  every  type  in 


Agreement 
conditions 
developed  with 
input  from  many 
agencies 


Appeal  process  in 
place,  but  not 
often  used 


SRD  is  busy 
educating  and 
reviewing 
renewals 
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Alberta  can  be  inspected  regularly  and  LMIP  uses  a  risk  assessment  formula  to 
direct  inspection  priorities.  To  be  effective  for  Sand  and  Gravel,  the  risk 
assessment  formula  must  recognize  the  inherent  risks  for  different  types  of 
dispositions  at  all  points  in  their  lifecycles.  Senior  management  is  placing 
reliance  on  LMIP  to  identify  the  appropriate  risk  levels  and  prioritize  future 
inspections. 


30.000  acres 
known  to  be 
unsatisfactorily 
reclaimed 


New  policy  does 
not  stop 

environmentally 
negligent 
operators  from 
receiving  more 
aggregate  holdings 


Our  audit  findings 

SRD  records  show  aggregate  holdings6  covering  approximately  30.000  acres 
that  have  been  inspected  and  deemed  unsatisfactorily  reclaimed.  A  further 
245.000  acres  are  reported  as  cancelled  with  outstanding  obligations  and  have 
not  been  awarded  a  reclamation  certificate.  240,000  of  these  acres  are  from 
exploration  agreements  and  represent  a  different  level  of  risk  than  the 
5.000  acres  of  leases  and  licenses  yet  to  be  inspected.  Some  aggregate  holdings 
have  remained  un-inspected  since  the  late  1980s. 

The  lack  of  reclamation  inspection  certificates  may  be  due  to: 

•  SRD  having  completed  but  not  recorded  an  inspection 

•  an  incomplete  inspection  or  inspection  with  unsatisfactory  reclamation  in 
process,  or 

•  the  leaseholder  has  not  requested  an  inspection  and  abandoned  their 
security  deposit.  Inspections  are  not  scheduled  unless  the  leaseholder 
notifies  SRD  that  the  aggregate  holding  has  been  reclaimed. 

The  new  policy  does  not  consider  current  or  past  environmental  performance  as 
part  of  applicant  eligibility.  It  indicates  that  progressive  reclamation  will  be 
required  and  that  "renewal  will  be  based  on  the  performance  of  the  lessee," 
suggesting  that  a  poorly  run  pit  will  not  be  renewed.  It  states  that  an  operator 
must  begin  using  the  pit  within  four  years,  implying  that  there  will  be  an 
inspection  at  that  time.  It  also  states  that  periodic  inspections  will  take  place. 

Regardless  of  inspection  results,  an  operator  can  continue  to  extract  aggregate 
from  an  active  holding  and  apply  for  new  ones  while  not  progressively 
reclaiming  or  leaving  expired  and  depleted  aggregate  holdings  un-reclaimed. 
We  found  154  operators  currently  hold  active  as  well  as  unsatisfactorily 
reclaimed  aggregate  holdings. 

We  also  noted  that  some  operators  are  directors  of  multiple  companies  and 
while  one  company  may  have  outstanding  legal  obligations,  a  related  company 


6  These  are  SME,  SMC  and  SML  dispositions 
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may  operate  independently  under  separate  agreements.  SRD  cannot  legally 
restrict  this  practice. 

Agreements  that  govern  holdings  include  terms  and  conditions  relevant  to 
reclamation.  For  example: 

'The  holder  shall  carry  out  interim  reclamation  work  concurrently  with 
operations  and  full  reclamation  prior  to  cancellation  and  abandonment. 
Reclamation  includes  debris  disposal,  slope  stabilization,  re-contouring, 
restoration  of  natural  drainage(s),  replacement  of  surface  soil  and  re- 
vegetation.  "7 

Regulation  allows  SRD  to  enforce  compliance  with  environmental  terms  in 
agreements.  The  Minister  may  demand  that  a  site  be  reclaimed8,  do  the  work  or 
cause  it  to  be  done  and  recover  the  cost  of  reclamation  through  forfeiture  of  the 
security  deposit.  If  the  security  deposit  is  insufficient,  the  Minister  may  recover 
the  costs  from  the  holder  as  a  debt  owing  to  the  Crown  if  the  operator  is  still  in 
business.  The  Minister  can  also  involve  Alberta  Environment  who  can  issue  an 
Environmental  Protection  Order9  on  a  disposition. 

In  the  past  10  years,  SRD  has  issued  no  demands  that  an  operator  reclaim  an 
aggregate  holding  or  pursued  costs  for  reclaiming  land  with  public  funds  since 
no  aggregate  holdings  have  been  reclaimed  with  public  funds.  SRD  has  not 
suspended  active  operations  or  refused  applications  from  operators  with 
outstanding  environmental  obligations.  We  saw  one  occurrence  in  2004  in 
which  SRD  refused  to  renew  a  licence  and  demanded  reclamation.  The  operator 
did  reclaim  the  holding. 

Implications  and  risks  if  recommendation  not  implemented: 

Without  inspection  and  enforcement,  those  responsible  may  not  repair 
environmental  damage  caused  by  the  aggregate  extraction  process,  and  such 
costs  may  have  to  be  borne  by  the  public. 

2.3.2  Flat  fee  security  deposit 
Recommendation  No.  41 

We  recommend  that  the  Department  of  Sustainable  Resource  Development 
assess  the  sufficiency  of  security  deposits  collected  under  agreements  to 
complete  reclamation  requirements. 


'  SML  agreement,  Condition  222 

8  Dispositions  and  Fees  Regulation 

9  Environmental  Protection  &  Enhancement  Act 
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require  land 
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Background 

Operators  pay  a  security  deposit  of  $1,000  per  acre  for  leases  and  $1,500  per 
80  acres  for  exploration.  Deposits  are  intended  to  be  sufficient  to  reclaim  the 
land  if  the  operator  fails  to  do  so. 

The  Department  encourages  progressive  reclamation.  If  a  project  will  proceed 
in  phases  and  the  first  phase  occupies  10  acres,  the  security  deposit  will  be 
$10,000  even  if  the  total  holding  is  for  a  greater  area.  The  expectation  is  that  the 
operator  will  finish  with  the  10  acres  and  reclaim  it  while  moving  on  to  the  next 
part  of  the  holding.  An  operator  can  carry  the  security  deposit  forward  by 
demonstrating  progressive  reclamation  of  the  first  phase,  or  pay  a  further 
security  deposit  for  the  next  phase. 

When  an  operator  has  depleted  or  has  otherwise  finished  with  an  aggregate 
holding,  they  require  a  reclamation  certificate  stating  reclamation  is  complete  to 
get  their  security  deposit  back.  If  an  operator  has  not  extracted  any  aggregate  by 
the  end  of  the  approved  term,  they  will  notify  SRD  of  that  fact.  An  SRD  field 
officer  will  then  confirm  reclamation  or  that  nothing  had  been  disturbed,  and 
approve  return  of  the  deposit. 

If  the  operator  does  not  request  the  return  of  their  security  deposit,  an  inspection 
may  not  occur;  instead  SRD  will  rely  on  the  LMIP  sample  protocol  to  identify 
that  the  site  needs  to  be  inspected.  An  operator  could  be  noncompliant  with 
their  legal  obligations  without  detection  and  only  abandon  the  security  deposit, 
which  may  be  insufficient  to  reclaim  the  land. 

Our  audit  findings 

End  use  is  an  important  part  of  the  reclamation  discussion.  Not  every 
disposition  is  returned  to  its  original  condition.  For  example  a  depleted  pit  may 
become  a  dugout  for  watering  livestock.  Flooding  a  pit  may  save  the  operator 
the  cost  of  growing  trees,  but  a  risk  exists  that  without  appropriate  oversight 
operators  will  choose  to  convert  their  dispositions  into  the  least  expensive,  and 
potentially  inappropriate,  end  use  possible  instead  of  a  suitable  end  state.  The 
new  CRBP  manages  this  risk  to  a  large  degree  by  ensuring  that  the  operator 
commits  to  an  approved  reclamation  plan  before  they  begin  work. 

We  interviewed  two  Edmonton  environmental  service  companies  that  reclaim 
sites  for  industry  and  received  estimates  of  between  $5,000  and  $20,000  per 
acre  to  restore  gravel  pits  to  their  original  condition.  There  are  many  factors 
involved  including  location,  soil  condition  and  the  amount  of  original  soil 
saved,  the  amount  of  sloping  needed  to  achieve  proper  drainage,  access  for 
heavy  machinery  and  whether  trees  or  grasses  are  being  restored. 
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Given  the  potential  cost  of  reclamation  and  the  fact  that  an  operator  can  move 
on  to  new  aggregate  holdings  unaffected  by  prior  non-compliance,  operators 
may  have  little  financial  incentive  to  reclaim  depleted  holdings. 

0ther  Alberta  Environment  has  developed  a  guideline  for  aggregate  holdings  on 

private  land  called  the  Code  of  Practice  for  Pits.  Its  goal  is  to  estimate  actual 

operate  more  r  b 

effectively  reclamation  costs.  The  calculation  of  security  deposits  considers  many  factors 

such  as  location,  heavy  equipment  requirements  and  types  of  materials  required 
for  reclamation.  The  result  is  a  security  deposit  that  more  accurately  represents 
the  true  cost  of  reclaiming  that  specific  holding.  SRD  may  look  to 
Environment's  program  for  some  guidance  in  this  regard. 

Implications  and  risks  if  recommendation  not  implemented 

Operators  will  have  little  financial  incentive  to  reclaim  public  land  and  SRD 
may  incur  the  cost  of  reclamation  exceeding  the  security  deposit. 

2.3.3  Royalty  rates  for  sand  and  gravel 
Recommendation  No.  42 

We  recommend  that  the  Department  of  Sustainable  Resource  Development 
assess  whether  current  royalty  rates  for  aggregate  resources  on  public 
lands  meet  the  aggregate  allocation  program  goals  and  objectives. 

Our  audit  findings 

No  changes  since  The  royalty  rate  of  $0.60  per  cubic  yard,  or  $0.75  a  ton,  for  sand  and  gravel  has 

not  changed  since  1991.  SRD  was  not  able  to  provide  evidence  of  a  royalty 
review  since  1991  to  ascertain  if  it  is  meeting  program  goals  and  objectives. 

Implications  and  risks  if  recommendation  not  implemented: 

Without  regular  reviews  of  the  royalty  structure,  Albertans  may  not  receive  a 
fair  return  for  this  resource. 


2.3.4  Quantity  of  aggregate  removed 
Recommendation 

We  recommend  that  the  Department  of  Sustainable  Resource  Development 
develop  systems  to  verify  quantities  of  aggregate  reported  as  removed  by 
industry  from  public  lands  so  that  all  revenue  due  to  the  Crown  can  be 
assessed  and  recorded  in  the  financial  statements. 


Volumes  removed 
are  reported  on 
honour  system 


Background 

Operators  are  required  to  submit  annual  returns  stating  how  much  material  they 
have  removed  from  an  aggregate  holding  and  an  annual  report  outlining  their 
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activities.  Operator  reported  volumes  and  ac  tivities  are  on  the  honour  system 
and  are  the  basis  for  royalty  payment  calculations.  There  is  no  SRD  verification. 

Currently  the  MIAU  compares  the  annual  return  with  the  annual  operating 
report  of  approximately  25%  of  active  SML  dispositions  annually.  This  is  a 
paper  based  analysis  using  operator  data.  If  there  appears  to  be  a  discrepancy  of 
over  25%  between  the  two  submissions  MIAU  will  request  a  field  inspection. 


Our  audit  findings 

We  reviewed  SRD  documents  expressing  concern  about  the  accuracy  of 
amounts  operators  reported  as  extracted.  These  concerns  prompted  a  pilot 
project  in  1999  using  volumetric  surveys  to  verify  amounts  extracted  from  pits. 
However,  accurately  measuring  quantities  removed  is  difficult.  Over  time 
things  settle,  water  and  snow  can  swell  or  shrink  a  stockpile  and  qualified  labor 
can  be  difficult  and  expensive  to  hire.  SRD  concluded  that  the  reliability  of  data 
and  a  cost  benefit  analysis  did  not  support  using  volumetric  surveys  on  a  large 
scale. 


SRD  has  the  right 
to  audit  but  has  no 
auditor 


Operators  don't 
need  to  use  scales 


Imagery  is 
available 


The  Public  Lands  Act  provides  for  an  aggregate  auditor  and  agreements  with 
operators  allow  SRD  the  right  to  audit.  However,  no  audits  have  been  done 
since  2002  when  a  single  auditor  position  was  vacated. 

Technology  has  improved  and  the  LMIP  initiative  is  equipping  vehicles  with 
GPS  devices  and  satellite  linked  laptops.  These  will  provide  access  to  SRD 
databases  while  at  a  holding.  With  reliable  data  and  proper  tools,  field  officers 
or  auditors  could  reasonably  correlate  reported  to  actual  extraction  volumes. 

SRD  uses  scales  to  measure  amounts  extracted  from  public  pits,  but  does  not 
require  leaseholders  to  use  measuring  systems  at  exclusive  right  to  use  leases. 
While  some  large  operators  do  use  scales,  SRD  could  require  measuring 
processes  for  all  operations  over  a  prescribed  threshold. 

SRD  has  developed  sophisticated  imaging  systems  and  has  many  versions  of 
satellite  and  aerial  images  of  Alberta.  These  resources  could  be  used  to  monitor 
activity,  including  reclamation. 


Implications  and  risks  if  recommendation  not  implemented: 

Without  verifying  how  much  material  is  being  removed  from  gravel  pits,  SRD 
cannot  plan  for  future  needs,  assure  Albertans  that  they  are  receiving  the  correct 
benefit  for  their  resources  or  properly  enforce  operators'  legal  obligations. 
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2.3.5  Information  management 
Recommendation 

We  recommend  that  the  Department  of  Sustainable  Resource  Development 
capture  and  consolidate  information  throughout  the  life  of  an  aggregate 
holding  and  use  it  to  test  compliance  with  legal  obligations. 

Background 

Data  stored  in  Three  separate  databases  contain  elements  of  leaseholder,  geographic, 

inspection  and  financial  information.  Not  all  data  is  exchanged  between  these 
systems  and  there  are  no  rules  guiding  which  system  field  officers  use  for  what 
purposes.  LMIP  focuses  on  one  system  while  MIAU  primarily  uses  the  other 
two. 


Better  planning 
documents 
Provide  better 
information 


The  new  CRBP  has  10  sections  and  details  90  items  including: 

federal,  provincial  and  municipal  regulatory  reviews  and  plans  to  comply, 
waste  management. 

topographical  maps  of  present  and  future  site  boundaries  and  horizons, 
the  amounts  and  timelines  of  material  extraction, 
environmental  impacts  on  water  table,  wildlife,  plant  life, 
plans  to  salvage  timber  and  soils, 
the  reclamation  strategy. 


This  information  is  critical  for  forecasting  expected  activities  and  royalties, 
identifying  unacceptable  activities  and  trends,  and  enforcing  legal  obligations. 


CRBP  details  and 
agreement 
conditions  not 
stored 

electronically 


Our  audit  findings 

We  obtained  source  data  from  the  three  databases  and  constructed  an  integrated 
record.  SRD  does  not  complete  such  a  process.  We  found  no  electronic 
information  on  agreement  conditions,  or  the  qualitative  and  planning 
information  submitted  in  CRBPs. 


Complete 

information 

needed 


The  field  office  we  visited  confirmed  that  with  consolidated  information  they 
could  do  inspections  that  are  more  comprehensive  while  at  pits  because  they 
would  have  access  to  site  plans,  agreement  conditions  and  operator-reported 
extracted  volumes. 


Implications  and  risks  if  the  recommendation  is  not  implemented 

Without  complete  and  properly  integrated  information  available  to  all  relevant 
SRD  staff  forecasting  expected  activities  and  royalties,  identifying  unreasonable 
activities  or  trends  and  enforcing  agreement  conditions  in  the  field  is  at  best 
inefficient  but  highly  ineffective. 
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Complaint 
involves  a  large 
holding  close  to 
the  market 


2.3.6  Other  matters 

In  October  2007.  we  received  a  public  complaint  about  the  alloc  ation  of  a 
705-acre  aggregate  holding  in  the  Grande  Prairie  area.  The  complaint  focused 
on  the: 

•  size  of  the  holding. 

•  location  of  this  holding  as  the  last  known  v  iable  deposit  <  lose  to  (.rande 
Prairie  providing  an  unfair  advantage  to  the  leaseholder. 

•  appropriateness  of  the  holding  being  held  by  a  subsidiary  of  a  large 
multinational  firm. 


We  did  not  find  a 

provincial 

monopoly 


We  confirmed  that  subsidiaries  of  an  international  firm  hold  1,460  of  the 
3.700  acres  of  active  SMLs  in  the  Grande  Prairie  area  and  that  subsidiaries  of 
this  firm  hold  a  further  5.050  acres  of  active  SMLs  elsewhere  in  Alberta.  We 
also  determined  the  ownership  of  the  companies  in  our  sample  files.  We  found 
that  43  companies  have  64  controlling  individuals,  partnerships  or  parent 
companies.  Provincially  we  found  that  61%  of  active  leaseholders  had  one 
holding  and  3.5%  had  over  10  holdings.  Our  analysis  does  not  support  the 
notion  of  a  monopoly. 


The  application  for  the  Grande  Prairie  site  was  dated  August  16.  2002.  The  file 
was  substantially  silent  until  June  2004.  SRD  then  informed  the  applicant  that  a 
review  would  proceed  after  receipt  of  an  updated  conservation  and  reclamation 
business  plan.  The  applicant  submitted  an  updated  plan.  SRD  evaluated  the 
application  and  applied  conditions.  SRD  granted  approval  on  January  18.  2005. 


We  conclude  there 
was  no  evidence 
to  support 
allegations 


This  process  is  similar  to  many  we  reviewed  during  our  audit.  We  found 
internal  and  external  correspondence  addressing  issues,  briefing  notes  to  the 
Minister  recommending  approval  and  the  requested  materials  submitted  to  SRD 
by  the  applicant.  We  found  that  policy  and  procedure  in  place  at  the  time  the 
application  was  processed  was  adhered  to.  We  found  no  evidence  of  influence 
being  exerted  in  the  process. 


Performance  reporting 

Financial  statements 

Unqualified  Our  auditor's  reports  on  the  financial  statements  of  the  Ministry,  the  Department 

au  uor  s  reports      ^  ^e  Envjronment  Protection  and  Enhancement  Fund  for  the  year  ended 
March  31,  2008  are  unqualified. 

Our  auditor's  report  on  the  financial  statement  of  the  Natural  Resources 
Conservation  Board  for  the  year  ended  March  31,  2008  is  unqualified. 
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Performance  measures 
No  exceptions       We  found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
Ministry's  performance  measures. 
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Tourism,  Parks,  Recreation  and 
Culture 

Summary  of  our  recommendations 

IT  control  j}le  Ministry  needs  to  develop  an  IT  control  framework — see  page  51. 

framework  needed 


Recommendation 
implemented 


Accountability 

processes 

improved 


Recommendation 
implemented 


Our  audit  findings  and  recommendations 

1.  International  Development  Program — implemented 

In  our  2004-2005  Annual  Report  (page  142),  we  recommended  that  the  Wild 
Rose  Foundation  improve  its  grant  systems  for  the  International  Development 
Program  by: 

•  enhancing  the  review  of  accountability  reports,  and 

•  establishing  a  way  to  obtain  assurance  that  grant  funds  are  used  as  intended. 

The  Foundation  implemented  our  recommendation  by  improving  its  grant 
accountability  processes.  It  has: 

•  established  new  application  criteria. 

•  developed  an  ongoing  process  to  review  accountability  reports  and  an 
inspection  protocol. 

•  conducted  inspections  of  four  international  projects. 

2.  Community  grants  management — implemented 

In  our  2004-2005  Annual  Report  (pages  203  and  205),  we  recommended 
improvements  to  the  grant  management  systems  of  the  former  Department  of 
Gaming.  The  recommendations  related  to  grant  programs  such  as  the 
Community  Facility  Enhancement  Program,  the  Community  Initiative  Program, 
and  the  Other  Initiatives  grant  program. 


Information  now 
available 


Review  of 
financial  reports 
completed 


The  Ministry  implemented  our  recommendations  by: 

•  publishing  information  on  the  Other  Initiatives  grant  program.  The  Ministry 
of  Culture  and  Community  Spirit  website  describes  the  existence,  nature 
and  purpose  of  the  program. 

•  completing  an  initial  project  to  review  the  backlog  of  financial  reports.  The 
Ministry  continues  to  follow  up  on  financial  reports  from  grant  recipients.  It 
hired  a  person  to  work  on  this  and  it  is  trying  to  hire  a  second  person. 
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Performance  reporting 

Financial  statements 

Our  auditor's  reports  on  the  financial  statements  of  the  Ministry,  Department  and  the 
following  seven  provincial  agencies  for  the  year  ended  March  31,  2008  are 
unqualified. 

•  Alberta  Foundation  for  the  Arts 

•  Alberta  Sport,  Recreation,  Parks  and  Wildlife  Foundation 

•  Human  Rights,  Citizenship  and  Multiculturalism  Education  Fund 

•  The  Alberta  Historical  Resources  Foundation 

•  The  Government  House  Foundation 

•  The  Historic  Resources  Fund 

•  The  Wild  Rose  Foundation 


Performance  measures 
No  exceptions        We  found  no  exceptions  when  we  completed  specified  auditing  procedures  on  the 
performance  measures  in  the  Ministry's  2007-2008  Annual  Report. 
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Treasury  Board 

Summary  of  our  recommendations 

The  Ministry  of  Treasury  Board  should  clarify — in  the  Salaries  and  Benefits 
Disclosure  Directive — what  organizations  must  disclose  of  the  salary  and  benefits 
of  individuals  in  their  senior  decision-making  and  management  group  who  are  paid 
directly  by  a  third  party — see  below. 

With  respect  to  the  Report  of  Select  Payments,  the  Ministry  of  Treasury  Board  needs 
to  do  the  following: 

•  review  the  types  of  information  that  should  be  included  in  the  Report — see 
page  375. 

•  in  conjunction  with  the  Departments,  re-evaluate  its  process  in  preparing  the 
Report — see  page  376. 

•  improve  the  timeliness  of  the  Report — see  page  377. 


Our  audit  findings  and  recommendations 

1 .    Salary  and  benefits  disclosure 
Recommendation 

We  recommend  that  the  Ministry  of  Treasury  Board,  through  the  Salaries 
and  Benefits  Disclosure  Directive,  clarify  what  form  of  disclosure,  under 
what  circumstances,  is  required  of  the  salary  and  benefits  of  an  individual 
in  an  organization's  senior  decision  making/management  group  who  is 
compensated  directly  by  a  third  party. 

Background 

Treasury  Board  Directive  12/98  requires  disclosure  of  salary  and  benefits  for 
individuals  in  an  organization's  senior  decision-making/management  group. 
Some  individuals  may  be  compensated  directly  by  a  third  party,  a  situation  not 
addressed  by  the  Directive. 

Criteria:  the  standards  we  used  for  our  audit 

Salaries  and  benefits  should  be  disclosed  consistently  across  government  for  all 
individuals  in  the  senior  decision  making/management  group  of  government 
organizations  to  ensure  complete  and  transparent  reporting. 


Directive  requires 
salary  disclosure 
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Our  audit  findings 

No  guidance  when         vVe  found  inconsistency,  in  the  absence  of  specific  guidance,  with  the 

disclosures  for  individuals  compensated  directly  by  third  parties.  The 

salary  r  J    J  r 

inconsistency  arises  from  different  conclusions  on  how  to  resolve  the 
Directive's  intent  of  transparency  with  preserving  access  to  the  labour 
marketplace  and  protecting  the  confidentiality  of  the  third  parties  and 
individuals  involved. 


Salaries  and 
benefits  not 
clearly  disclosed 


We  identified  three  instances  across  government  where  individuals  were  being 
compensated  under  third  party  contracts.  Under  the  contracts,  the  government 
organizations  reimburse  the  third  parties  for  the  individual's  salary  and  benefits. 
As  a  result,  the  compensation  paid  is  classified  as  supplies  and  services  expense 
in  the  organization's  financial  statements.  All  of  these  individuals  were 
operating  as  senior  decision  makers  and  were  part  of  the  management  group  of 
the  organization.  In  one  of  the  three  cases,  the  salary  and  benefits  disclosure 
excluded  the  salary  and  benefits  of  the  individual. 


Implications  and  risk  if  recommendation  not  implemented 

The  intent  of  transparency  of  the  Salaries  and  Benefits  Directive  by  disclosing 
fully  and  consistently  the  salary  and  benefits  of  all  senior  decision  makers  of  the 
management  group  may  not  be  achieved. 


Is  the  Report 
accurate, 
complete,  timely 
and  does  it  comply 
with  legislation 


2.    Report  of  Select  Payments  to  MLAs 
2.1  Summary 

What  we  examined 

We  examined  the  I  )epartmenl  of  I  reasurj  Board  (TB)  systems  used  in  the 
annual  publication  of  the  Report  of  Selected  Payments  to  Members  and  Former 
Members  of  the  Legislative  Assembly  and  Persons  Directly  Associated  with 
Members  of  the  Legislative  Assembly  (Report).  Our  objective  was  to  determine 
if  there  are  Treasury  Board  systems  in  place  to  ensure  the  information  in  the 
Report  is  accurate,  complete,  timely  and  complies  with  legislation. 


Why  is  this  important  to  Albertans 

We  undertook  this  audit  as  the  Report  is  the  most  comprehensive  document 
showing  the  payments  made  from  public  funds  to  elected  officials  or  their  direct 
associates.  Albertans  need  to  know  they  can  have  confidence  in  the  accuracy 
and  completeness  of  the  Report  in  ensuring  elected  officials  are  held 
accountable. 


372 


Report  of  the  Auditor  General  of  Alberta— October  2008 


Financial  statement  and  other  assurance  audits 


Treasury  Board 


Room  for 
Improvement 


TB  to  confirm 
Report  continues 
to  be  relevant 


What  we  found 

We  conclude  that  the  Department  's  system  to  record  and  public  Iv  report 
payments  to  Members,  former  Members,  and  persons  associated  with  them, 
requires  improvement. 

The  Report  consists  of  mandatory  items  that  are  reportable  due  to  legislation 
requirements,  for  example,  travel  expenses  as  Minister  of  the  Crown.  There  are 
also  discretionary  items  included  for  which  there  is  no  legislative  requirement 
to  report,  for  example.  MLA  indemnity1  and  tax  free  allowance.  The  mandatory 
and  discretionary  items  are  combined  and  presented  in  the  Report. 

We  found  that  TB  is  properly  reporting  the  mandatory  items  and  the 
discretionary  items.  However.  TB  needs  to  review  what  is  contained  within  the 
Report  to  reaffirm  that  it  continues  to  meet  the  current  requirements.  The 
decision  as  to  what  discretionary  items  to  include  was  made  some  time  ago  by  a 
committee  of  MLAs.  We  do  not  know  if  the  discretionary  items  being  reported 
today  continue  to  meet  MLA  expectations  as  to  what  should  be  included  in  this 
Report.  The  Report  should  meet  the  needs  of  Albertans  by  providing  useful  and 
relevant  information. 


Be  more  efficient 


Report  promptly 


Report  required  by 
two  laws 


We  also  found  the  current  process  to  prepare  the  Report  is  time  consuming.  We 
found  the  Departments  and  TB  are  going  through  a  manual  and  time  consuming 
process  in  confirming  MLA  payments. 

After  compiling  the  information,  TB  verifies  the  information  with  each  MLA. 
The  Report  is  then  forwarded  to  the  Minister  for  tabling  in  the  Legislative 
Assembly.  It  takes  a  year  or  more  to  present  this  Report  publicly. 

What  needs  to  be  done 

TB  needs  to  do  the  following: 

•  review  the  types  of  information  that  should  be  included  in  the  Report. 

•  in  conjunction  with  the  Departments,  re-evaluate  its  process  in  preparing 
the  Report. 

•  improve  the  timeliness  of  the  Report. 

2.2  Background 

Each  year,  TB  prepares  the  Report  as  required  under  section  37(4)  of  the 
Legislative  Assembly  Act  and  section  16(1)  of  the  Conflicts  of  Interest  Act.  The 
Report  that  is  tabled  in  the  Legislative  Assembly  each  year  details  the  payments 
made  to: 


1  Salaries 
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•  current  Members  of  the  Legislative  Assembly  (MLA). 

•  persons  directly  associated  with  MLAs. 

•  former  MLAs. 


Report  has  three 
main  areas 


Both  LAO  and 
departments  are 
source  of 
information  for 

Report 


The  Report  outlining  the  payments  to  current  MLAs  contains  three  main 
areas — Remuneration  &  Benefits.  Reimbursement  for  Expenses  and  Other 
Payments.  These  payments  can  be  described  as  either  a  mandatory  or 
discretionary  reporting  item. 

The  following  table  outlines  the  mandatory  and  discretionary  items  with  the 
amount  of  public  funds  expended  in  each  category: 


Type  of  Expenses  (All  MLAs) 

Mandatory       Fees  and  expenses  for  sitting  on  government 
Items  boards,  commissions  or  committees.  Salary 

and  travel  expenses  paid  to  a  cabinet  minister. 
Discretionary    MLA  Indemnity,  RRSP  allowance,  MLA  tax 
Items  free  allowance,  benefits,  travel  expenses  as  a 

MLA,  temporary  residence  allowance. 


Amount 

$3,913,684 


$9,988,752 


The  Legislative  Assembly  Office  (LAO)  pays  MLA  expenses,  MLA 
indemnities  and  salaries,  and  fees  for  MLAs  who  sit  on  legislative  or 
government  boards,  commission  and  committees.  The  Departments  reimburse 
the  LAO  for  MLA  costs  associated  with  government  work  such  as  salaries  or 
attending  government  board  meetings.  The  Departments  directly  pay  the  MLAs 
for  government  related  expenses.  TB  prepares  the  Report  based  on  information 
provided  to  them  by  the  LAO  and  the  Departments. 


Every  financial  transaction  of  the  Government  of  Alberta  is  recorded  into 
IMAGIS,  the  government's  financial  system.  Each  transaction  requires 
numerous  chart  fields  to  be  completed  to  record  the  transaction.  The  mandatory 
chart  fields  are: 

business  unit  (ministry) 
the  department  identifier 
the  program  code 
the  date  of  the  transaction 
the  vendor 

the  expense  account  code 
the  amount  of  the  transaction 
the  invoice  date 
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Direct  payments:  There  are  two  types  of  payments  that  can  be  attributed  to  a  MI  A    diret  I 

1LA  pays  payment  and  indirect  payment.  In  a  direct  payment  the  MLA  pays  for  the 

expense  and  is  reimbursed  for  the  amount.  His  or  her  "employee"  number  will 
be  coded  into  the  vendor  chart  field. 


Indirect  payments: 
third  party  pays  to 
benefit  MLA 


In  an  indirect  payment,  a  third  party  pays  for  an  expense  that  was  of  benef  it  to 
the  MLA.  The  third  party  will  be  recorded  as  the  vendor  with  his  or  her 
employee  number  or  vendor  number  coded  into  the  vendor  chart  field.  The 
MLA  who  received  the  benefit  should  have  his  or  her  employee  numbei  entered 
Into  the  non-mandatory  chart  field  called  the  "More"  field. 


Two  databases 
used  to  prepare 
preliminary 
Report 


Payments  recorded  in  IMAGIS  are  electronically  interfaced  into  PAID  (Payee 
Accounts  Information  Database)  at  TB.  In  preparing  the  Report,  TB  queries  all 
of  the  MLA  employee  numbers  in  the  vendor  and  the  "More"  chart  fields.  The 
output  from  this  query  is  sorted  by  the  business  unit  and  forwarded  to  the 
respective  Departments  for  review  (preliminary  report).  A  set  of  instructions 
outlining  the  type  of  expense  accounts  that  need  to  be  reported  is  attached  to  the 
data. 


Each  Department  reviews  the  TB  preliminary  report  to  ensure  all  transactions 
made  directly  or  indirectly  to  a  MLA  are  included.  The  Department  may  make 
additions  or  deletions  to  the  TB  preliminary  report.  The  modifications  are  sent 
back  to  TB. 

TB  then  completes  the  Report  based  on  information  from  PAID,  modifications 
made  by  the  Departments  and  information  supplied  by  the  LAO.  A  draft  version 
of  the  payments  made  to  a  MLA  is  sent  to  each  MLA  for  review.  After  MLA 
approval,  the  Report  is  tabled  in  the  Legislative  Assembly. 

2.3  Our  audit  findings  and  recommendations 
2.3.1  Content  of  Report 
Recommendation 

We  recommend  that  the  Department  of  Treasury  Board  reaffirm  what 
should  be  contained  within  the  Report  of  Selected  Payments  to  Members  and 
Former  Members  of  the  Legislative  Assembly  and  Persons  Directly 
Associated  with  Members  of  the  Legislative  Assembly  to  ensure  it  continues 
to  be  relevant. 


Departments 
review 


TB  completes 
Report 


Our  audit  findings 

No  process  to  js  properly  reporting  the  mandatory  and  discretionary  items.  However,  we 

reaffirm  rclcvBncc 

of  Report  found  that  there  has  been  no  process  to  reaffirm  that  the  Report 's  contents 

continue  to  meet  its  purpose. 
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The  discretionary  items  that  are  reported  have  evolved  over  time.  We  were  told 
a  committee  of  MLAs  met  over  ten  years  ago  to  decide  what  discretionary  items 
should  be  reported.  There  is  limited  documentation  to  show  the  changes  that 
have  taken  place  in  what  is  reported  as  discretionary  items.  Typically,  items 
such  as  MLA  indemnity,  tax  free  allowance  and  benefits  are  reported,  but  not, 
for  example,  hosting  or  working  session  expenses  directly  related  to  the  MLA. 


Combination  of 
statutory  and 
discretionary 


items 


There  is  no  evidence  that  anyone  has  reviewed  the  contents  of  this  Report  to 
ensure  that  taken  together,  the  combination  of  legislative  and  discretionary 
items  still  meets  the  purpose  of  this  Report.  Some  current  MLAs  may  not 
understand  that  parts  of  the  Report  are  discretionary.  These  MLAs  may 
consider  that  what  is  included  as  discretionary  reporting  needs  to  be  changed. 
This  would  result  in  either  an  increase  or  decrease  in  the  type  of  payments  that 
would  be  reported. 


Implications  and  risks  if  recommendation  not  implemented 

Without  confirmation  as  to  what  information  should  be  included  in  the  Report, 
public  confidence  in  systems  to  promote  accountability  of  the  elected  officials 
may  be  compromised. 

2.3.2  Efficiency 
Recommendation 

We  recommend  that  the  Department  of  Treasury  Board  use  current 
technology  to  regularly  and  efficiently  compile  the  material  for  public 
reporting. 


Process  is  not 
efficient 


Our  audit  findings 

The  current  process  to  prepare  the  Report  is  inefficient.  TB  prepares 
preliminary  reports  containing  the  MLA  payments  for  each  Department  to 
review.  The  Departments  do  not  rely  on  the  TB  preliminary  reports  because  the 
information  is  incomplete.  As  the  Departments  cannot  rely  on  the  TB 
preliminary  report,  the  Departments  will  prepare  their  own  reports  using  a 
manual  process  to  identify  the  MLA  expenses. 


Better  coding  is 
needed 


The  preliminary  reports  are  incomplete  due  to  inconsistent  coding  of  MLA 
expenses  by  Department  staff  at  the  time  the  expense  is  being  paid.  The 
Departments  could  improve  their  process  by  ensuring  proper  coding  is 
completed  for  all  MLA  payments  at  the  time  the  transaction  is  being  recorded 
into  IMAGIS.  This  would  allow  the  Departments  or  TB  to  use  IMAGIS  to 
extract  complete  information  on  the  MLA  payments  in  an  efficient  manner. 
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Implications  and  risks  if  recommendation  not  implemented 

An  efficient  system  to  collect  and  report  elected  officials'  payments  will  ensure 
Albertans'  expectations  to  receive  accurate  and  timely  information  are  met. 

2.3.3  Timely  reporting 
Recommendation 

We  recommend  that  the  President  of  Treasury  Board  arrange  for  all  final 
reviews  of  the  Report  to  take  place  within  six  months  of  the  year  end  so  that 
the  Report  can  be  ready  for  tabling  in  the  Legislative  Assembly. 

Our  audit  findings 

In  the  past,  we  have  made  two  recommendations  to  the  Minister  of  Finance  to 
improve  the  timeliness  of  the  Report.  Much  of  the  information  contained  in  the 
Report  is  now  routinely  reported  and  widely  available  on  government  internet 
sites.  For  example,  a  Minister's  office  expenses  are  posted  by  each  Department 
monthly,  in  the  month  following  the  activity.  Other  examples  of  timely 
reporting  include  the  Government  of  Alberta  making  public  the  consolidated 
financial  statements  by  June  30  of  each  year,  three  months  after  the  fiscal  year 
end. 

The  2005/06  Report  was  tabled  in  March  2007,  one  year  after  the  fiscal  year 
end.  The  2006/07  Report  was  tabled  in  May  2008,  thirteen  months  after  the 
fiscal  year  end. 

Implications  and  risks  if  recommendation  not  implemented 

MLAs  are  accountable  to  Albertans.  Without  timely  reporting,  this 
accountability  is  delayed  and  can  be  questioned. 

3.    Consistency  of  performance  measures  used  in  both  government  and 
ministry  business  plans — implemented 

In  our  2002-2003  Annual  Report  (p.  27),  we  recommended  that  government 
and  ministry  business  plans  use  consistent  performance  measures  and  targets.  In 
2006,  we  found  that  satisfactory  progress  had  been  made  in  improving  the 
consistency  of  measures  and  targets  that  appeared  in  the  2006-2009 
government  and  ministry  business  plans. 

We  examined  the  consistency  of  measures  and  targets  that  appear  in  both  the 
2008-201 1  government  and  ministry  plans.  We  found  that  measures  and  targets 
are  presented  on  a  consistent  basis. 


Report  takes  too 
long  to  produce 
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Performance  reporting 

Financial  statements 

Unqualified  Our  auditor's  report  on  the  Ministry  of  Treasury  Board  financial  statements  for  the 

auditor  s  report        year  ended  March  3  {  20Q8  ^  unqualified 

Performance  measures 

Because  the  Ministry  did  not  have  any  performance  measures,  we  did  not  complete 
any  specified  auditing  procedures. 
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Outstanding  recommendations 

This  is  a  complete  listing  of  numbered  and  unnumbered  recommendations  that  are  not  yet 
implemented. 


Auditee 

Original 
Recommendation 

Repeated 

Recommendation  subject 

Cross-Ministry 

Executive  Council 

2004-05 

#1  &#2,  p.  28 

Recruiting,  evaluating  and  training  boards  of 
directors 

Sen  ice  Alberta 

2005-06 

#22,  vol.  1,  p.  174 

IT  Project  Management 

Treasury  Board 

2006-07 

#17,  vol.  l.p.  174 

Government  credit  cards 

Aboriginal  Relations 

2006-07 
vol.  2,  p.  124 

Grant  monitoring 

Advanced  Education  and  Technology 

April  2008 
#l.p.  22 

Post-Secondary  Institutions — non-credit 
programs:  Clarify  standards  and  expectations 

April  2008 
#2,  p.  23 

Post-Secondary  Institutions — non-credit 
programs:  Monitor  Institutions'  non-credit 
programs 

April  2008,  p.  42 

Monitoring  vocational  programs  and  degrees 
offered  by  private  institutions 

April  2008,  p.  195 

College  and  technical  institute  computer 
controls:  Well-designed  and  effective  IT 
control  policy  and  processes 

Alberta  College  of  Art  and 
Design 

2006-07 
vol.  2,  p.  21 

IT  internal  controls 

Alberta  College  of  Art  and 
Design 

April  2008,  p.  180 

ACAD — Financial  reporting  and  year-end 
processes 

Alberta  College  of  Art  and 
Design 

April  2008,  p.  182 

ACAD — Payroll  controls 

Grande  Prairie  Regional 
College 

2006-07 

#20,  vol.  2,  p.  20 

April  2008,  p.  183 

Financial  reporting  and  year-end  processes 

Grande  Prairie  Regional 
College 

April  2008.  p.  184 

Capital  asset  management 

Grant  MacEwan  College 

2004-05,  p.  104 

Computer  control  environment 

Grant  MacEwan  College 

November  2006 
#9,  p.  35 

Post  Secondary  Institutions:  Grant  MacEwan 
College  construction  management 

Grant  MacEwan  College 

November  2006 
#10,  p.  37 

Post  Secondary  Institutions:  Donations  to 
Grant  MacEwan  College 

Grant  MacEwan  College 

April  2008 
p.  186 

Grant  MacEwan  College — Bookstore 
operations 
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Past  recommendations 


Outstanding  recommendations 


Auditee 

Original 
Recommendation 

Repeated 

Recommendation  subject 

Mount  Royal  College 

ZUU4-U0,  p.  1UU 

Retention  and  severance  agreements 

Mount  Royal  College 

£U(J4-Uj,  p.  11)1 

Governance  and  Human  Resources 
Committee  Charter 

ronage  Lonege 

April  2UU8.  p.  189 

Portage  College — Fuel  purchases  on  fuel 
cards 

Northern  Alberta  Institute 
of  Technology 

April  ZUUo.  p.  40 

NAIT — construction  management  processes: 
selection  processes 

University  of  Alberta 

2U03-04,  p.  252 

Strategic  planning  for  Research 

University  of  Alberta 

2l)U5-Ub 
vol.  2.  p.  29 

Campus  security  services 

University  of  Alberta 

2UUb-0/ 

vol.  2.  p.  24 

Security  configuration  settings 

University  of  Calgary 

ZUIM-U4 

ff£0,  p.  ilJJ 

Planning  for  research  capacity 

1    ni\'Drci r\/  f~\ f  f  1 1 nin / 

1  uiii\eisn\  01  LdigaiA 

90m   C\\    r\  OKA 

ZUUo-U4,  p.  £04 

Research  measures  and  targets 

uiuvcrsiiv  oi  i^ciigary 

9nn'j  n,i  ri  9C7 
£l)Uo-U4,  p.  £3 / 

20UO-0/ 

vol.  2,  p.  15 

Controls  over  sponsored  research  and  trust 
accounts 

1  1  n  i  \  'ore  i  t\ 1  r\T  I    o  Innn  ' 

UIIlvtMMlY  Ol  V^dlgdly 

9nn^  n^ 
£UU4-U0 

#18.  p.  90 

Research  roles  and  responsibilities 

VJIII\ LI  Mly  Ul  L.dlgdl\ 

9nn \  c\k  ™  oi 
£UU4-U j.  p.  y  I 

Research  policies 

University  of  Calgary' 

2004-05,  p.  92 

Research  project  proposals 

University  of  Calgary' 

2004-05,  p.  93 

Research  project  management 

University  of  Calgary 

2004-05,  p.  94 

Accounting  for  research  revenues  and 
expenditures 

University  of  Calgary 

2005-06 

\/nl    9   n  9fl 
V  Ol.  L,  p.  L\J 

General  computer  controls 

University  of  Calgary 

2005-06 

\/nl    9   n  9/1 
VOL  £.  p.  £4 

•  2006-07 
vol.  2,  p.  13 

•  October  2008 
#22,  p.  220 

PeopleSoft  security 

University  of  Calgary 

2006-07 

#18,  vol.  2,  p.  10 

Information  technology  (IT)  governance  and 
control  framework 

University  of  Calgary 

2006-07 
vol.  2,  p.  12 

October  2008 
p.  217 

Controls  over  payroll 

University  of  Lethbridge 

2006-07 

#21.  vol.  2,  p.  23 

IT  internal  framework 

Agriculture  and  Rural  Development 

2000-01,  #3,  p.  50 

2004-05 
#20,  p.  113 

Evaluating  program  success:  grant 
management 

2002-03.  #3,  p.  49 

Performance  measurement 

2003-04,  #3.  p.  80 

BSE  Report  July  2004:  Risk  assessment  for 
the  agriculture  and  agri-food  industry  in 
Alberta 

2005-06 
vol.  2,  p.  39 

Verifying  eligibility  for  the  Canada-Alberta 
Fed  Cattle  Set  Aside  program 

2005-06 
vol.  2.  p.  40 

Developing  and  monitoring  compliance  with 
an  information  technology  security  policy 

2005-06 

#24.  vol.  2.  p.  37 

Verifying  eligibility  for  Farm  Fuel  Benefit 
program 
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Past  recommendations 


Outstanding  recommendations 


Auditee 

Original 
Recommendation 

■ 

Repeated 

Recommendation  subject 

November  2006 
#12.  p.  46 

Expense  Accounts:  Processes  for  reporting 
and  dealing  with  allegations  ol  employer 
misconduct 

Agriculture  Financial 
Services  Corporation 

2006-07 
vol.  2.  p.  32 

Loan  loss  allowance  methodolng\  and 
process 

Agriculture  Financial 
Services  Corporation 

2006-07 
vol.  2.  p.  34 

Wireless  technology 

Also  see  Recommendations  to  more  than  one  ministry — page  388 

Children  and  Youth  Services 

2001-02.  #8,  p.  53 

2002-03.  p.  69 

Contract  Management  Systems 

2001-02.  #9.  p.  54 

Risk  assessment  and  internal  audit  services 

2006-07 

#6.  vol.  l.p.  79 

Child  intervention  services:  Fnhant  ed  child 
intervention  standards 

2006-07 

#7,  vol.  l.p.  82 

Child  intervention  services:  Accreditation 
systems  for  service  providers 

2006-07 

#8,  vol.  1.  p.  83 

Child  intervention  services:  Department 
compliance  monitoring 

Child  and  Family  Services 
Authorities 

2006-07 
vol.  1,  p.  86 

Child  intervention  services:  Authorities 
compliance  monitoring  processes 

Child  and  Family  Services 
Authorities 

2006-07 
vol.1,  p.  88 

Child  intervention  services:  Authorities 
monitoring  of  sen  ice  providers 

Culture  and  Community  Spirit 

Also  see  Recommendations  to  more  than  one  ministry — page  388 

Education 

2004-05 
#27,  p.  157 

2006-07 

#22,  vol.  2.  p.  46 

(Purchase  of  textbooks)  Savings  generated 
by  Learning  Resources  Centre 

2005-06 

#25,  vol.  2.  p.  65 

School  board  budget  process 

2005-06 

#26,  vol.  2,  p.  68 

School  board  interim  reporting— minimum 
standards  and  best  practices 

2006-07 
vol.  2.  p.  45 

Business  cases 

Employment  and  Immigration 

2006-07 
vol.  2,  p.  55 

Income  support  program — exception  reports 

2006-07 
vol.  2,  p.  56 

Compliance  audit  function — Income  support 
program 

2006-07 
vol.  2,  p.  57 

Debit  cards 

2006-07 
vol.  2,  p.  58 

Capital  asset  policy 

2006-07 

#23.  vol.  2,  p.  60 

Information  technology  control  environment 
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Past  recommendations 


Outstanding  recommendations 


Auditee 

Original 
Recommendation 

Repeated 

Recommendation  subject 

Energy 

2003-04 
#10,  p.  125 

Oil  sands  projects  approvals — incorporating 
risk  into  project  assessment 

2004-05 
#28,  p.  165 

2005-06 
#27,  vol.  2,  p.  76 

Assurance  on  well  and  production  data 

2006-07 

#9,  vol.  l,p.  115 

Energy's  royalty  review  systems:  Royalty 
regime  objectives  and  targets 

2006-07 

#10,  vol.  l,p.  119 

Energy's  royalty  review  systems:  Planning, 
coverage,  and  internal  reporting 

2006-07 

#11,  vol.  1,  p.  124 

Energy's  royalty  review  systems:  Improving 
annual  performance  measures 

2006-07 

#12,  vol.  1,  p.  126 

Energy's  royalty  review  systems:  Periodic 
public  information 

2006-07 

#13,  vol.  1,  p.  129 

Energy's  royalty  review  systems:  Enhancing 
controls 

April  2008.  p.  57 

Department  of  Energy's  system  for 
identifying  and  managing  conflicts  of 
interest:  Documenting  potential  conflicts  of 
interest 

Energy  Resources 
Conservation  Board 

2004-05 
#29,  p.  169 

Assurance  systems  for  volumetric  accuracy 

Energy  Resources 
Conservation  Board 

2004-05 
#30,  p.  173 

Liability  management  for  suspension, 
abandonment  and  reclamation  activities 

Energy  Resources 
Conservation  Board 

2006-07 

#24,  vol.  2,  p.  71 

IT  control  framework 

Also  see  Recommendations  to  more  than  one  ministry — page  388 

Environment 

1 998-99 
#30,  p.  158 

•  2000-01 
#8,  p.  90 

•  2004-05 
#31,  p.  180 

Financial  security  for  land  disturbances 

2002-03 
#12,  p.  103 

2005-06 

#29.  vol.  2.  p.  87 

Contaminated  sites  information  systems 

2005-06 
#l,vol.  l,p.  37 

Drinking  Water:  Approvals  and  registrations 

2005-06 

#2,  vol.  l,p.  43 

Drinking  Water:  Inspection  system 

2005-06 

#3,  vol.  l,p.  49 

Drinking  Water:  Waterworks  operators 

2005-06 

#4,  vol.  1,  p.  52 

Drinking  Water:  Information  systems 

2005-06 

#5,  vol.  1,  p.  53 

Drinking  Water:  Supporting  Environment's 
drinking  water  goals 

2005-06 
vol.  1.  p.  48 

Drinking  Water:  Communicating  with 
partners 

2005-06 

#28.  vol.  2,  p.  84 

Water  Well  Drilling 

Also  see  Recommendations  to  more  than  one  ministry — page  388 
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Past  recommendations 


Outstanding  recommendations 


Auditee 

Original 
Recommendation 

Repeated 

Recommendation  subject 

Executive  Council 

See  Cross-Ministry — page  379 

Finance  and  Enterprise 

2005-06 

ff oua,  \  01.  c,  p.  y  / 

Supplementary  Retirement  Plans — assess  the 

til II lUtll  (1I1U  \  1111  lllldl  1\  I.  1  UMS  dl  1(1  1 1S1\> 

2006-07 

\jr\\    9    n  8^ 

VOl.  L,  p.  00 

Alberta  Indian  Tax  Exemption  program 
limits 

2006-07 

\r>l     1     n  1/19 
V  01.   1  .  p.   1  4<L 

The  Government's  revenue  forecasting 

by  bit  I  MS.  l\tlU  ;>  Ul  It  IUII1  USt  U  IU  IUI I  t  dM 

investment  income 

vol.  1.  p.  143 

Trio  I   f\\ */irn  m/iii  1  (.  r.-\  I'liiii-  I  /  if/ »/ ■ 'i  (.  1 1 1 1  ( l 
1  IK  OUv  t_  1  I1IIK  III  S  1 1  \  t  I  lilt  lUIlV/lMIll^ 

systems:  Personal  income  tax  forecast 

2006-07 

#14.  vol.  l.p.  145 

The  Government's  revenue  forecasting 
systems:  Corporate  income  tax  forecast 

2006-07 

#16.  vol.  1,  p.  149 

The  Government's  revenue  forecasting 
systems:  Public  reporting  of  revenue 
forecasts 

2006-07 
vol  2  d  87 

Obtaining  assurance  on  third  party  service 
providers 

AIMCo 

2006-07 

#25  vol  2  d  91 

Controls  over  derivative  contracts 

AIMCo 

2006-07 
vol.  2.  p.  92 

October  2008 
#33,  p.  287 

Controls  over  private  equity  partnership 
investments 

AIMCo 

2006-07 
vol.  2,  p.  93 

Access  and  change  management  controls 

ATB 

1999-00 
#49.  p.  281 

•  2000-01 
#49.  p.  258 

•  2001-02 
#17,  p.  103 

•  2003-04 
#18,  p.  161 

•  2004-05 
#33.  p.  195 

Strengthening  internal  controls — branch 
operations 

ATB 

2001-02 
#16.  p.  101 

2002-03 
#16.  p.  121 

Risk  management 

ATB 

2002-03 
#15.  p.  119 

•  2003-04 
#17,  p.  159 

•  2004-05 
#32,  p.  193 

Lending  policy  compliance 

ATB 

2006-07 

#26.  vol.  2,  p.  94 

Processes  to  confirm  compliance  with 
Alberta  Finance  Guideline 

ATB 

2006-07 
vol.  2.  p.  97 

Information  technology  control  framework 

ATB 

2006-07 
vol.  2.  p.  99 

General  loan  loss  allowance 
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Past  recommendations 


Outstanding  recommendations 


Auditee 

Original 
Recommendation 

Repeated 

Recommendation  subject 

Health  and  Wellness 

1997-98 
#27,  p.  125 

•  1999-00 
#21,  p.  144 

•  2005-06 
#19, 

vol.  l,p.  153 

Population-based  funding:  Data 
improvement 

1998-99 
#19,  p.  93 

1999-00 
#39.  p.  238 

Academic  Health:  Governance  and 
accountability 

2000-01 
#17,  p.  121 

2005-06 

#33,  vol.  2,  p.  120 

Analysis  of  physician  billing  information 

2001-02 
#24,  p.  135 

•  2003-04 
#22,  p.  195 

•  2005-06 
#34,  vol.  2,  p. 
123 

Information  technology  control  environment 

2001-02,  p.  134 

2002-03 
•••22.  p.  152 

Control  of.  and  accountability  for,  restricted 
funding 

2002-03 

#23,  p.  156  and  157 

Province  Wide  Services 

2003-04 
#23,  p.  197 

Accountability  of  the  Health  Regions  to  the 
Minister  of  Health  and  Wellness 

2005-06 

#17,  vol.  l,p.  146 

RHA  Global  Funding:  Defining  goals  and 
performance  measures 

2(t()5  o<> 
vol.  l,p.  147 

RHA  Global  Funding:  Periodic  analysis 

2005-06 

#18,  vol.  l,p.  149 

RHA  Global  Funding:  Non-formula  funding 
adjustments 

2005-06 

#20,  vol.  l.p.  155 

RHA  Global  Funding:  Funding 
communications 

2005-06 

#21,  vol.  1,  p.  156 

RHA  Global  Funding:  Coordination  of 
capital  and  operating  decisions 

2005-06 
vol.  l,p.  158 

RHA  Global  Funding:  Documentation 
retention 

2005-06 
vol.  l,p.  159 

RHA  Global  Funding:  Data  availability  and 
timeliness 

2005-06 
vol.  l,p.  160 

RHA  Global  Funding:  Resolving  Global 
Funding  issues 

2005-06 

#31,  vol.  2,  p.  116 

2005  Ministry  annual  report — results 
analvsis 

2005-06 

#32,  vol.  2,  p.  118 

2005  Ministry  annual  report — performance 
measures 

2006-07 
vol.  2,  p.  105 

Unauthorized  network  connections 

2006-07 
vol.  2.  p.  107 

Claims  assessment  system 

April  2008 
#4,  p.  77 

Implementing  the  Provincial  Mental  Health 
Plan:  The  accountability  framework 

Department  and  Alberta 
Mental  Health  Board 

April  2008 
#3,  p. 72 

Implementing  the  Provincial  Mental  Health 
Plan:  Implementation  systems 
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Past  recommendations 


Outstanding  recommendations 


Auditee 

Original 
Recommendation 

Repeated 

Recommendation  subject 

Alberta  Alcohol  and  Drug 
Abuse  Commission 

November  2006 
#1.  p.  14 

Contracting  Practices:  Internal  controls 

Alberta  Alcohol  and  1  )rug 
Abuse  Commission 

November  2006 
#3.  p.  17 

Contracting  Practices:  Board  governance 

Alberta  Alcohol  and  Drug 
Abuse  Commission 

2006-07 
vol.  2.  p.  116 

( General  <  omputei  <  ontrols 

Alberta  Cancer  Board 

2006-07 
vol.  2.  p.  115 

(  ontrols  over  a(  <  ess  in  <  omputei 
applications 

Calgary  Health  Region 

2005-06 

#36.  vol.  2.  p.  128 

Monitoring  service  provider  compliance  and 
performance 

Calgarv  Health  Region 

2006-07 

#28.  vol.  2.  p.  112 

Change-management  process 

Calgary  Health  Region 

2006-07 

#29.  vol.  2.  p.  113 

Inappropriate  user  access 

Capital  Health  Authority 
and  Calgary  Health  Region 

2000-01 
p.  135 

Performance  measures  for  surgical  services 

Also  see  Recommendations  to  more  than  one  ministry — page  388 

Housing  and  Urban  Affairs 

No  outstanding  recommendations 

Infrastructure 

No  outstanding  recommendations 

International  and  Intergovernmental  Relations 

No  outstanding  recommendations 

Justice  and  Attorney  General 

2006-07 

#31.  vol.  2.  p.  128 

Information  Technology  Security 

2006-07 
vol.  2,  p.  129 

Disaster  Recovery  Plans 

2006-07 
vol.  2,  p.  130 

Information  Technology  Access  Controls 

2006-07 
vol.  2,  p.  131 

Judicial  Information  Technology  Security 

Legislative  Assembly 

2006-07 
vol.  2.  p.  189 

Strengthen  policies  for  Members"  Services 
Allowance 

2006-07 
vol.  2.  p.  192 

Temporary  Residence  Allowance 

Municipal  Affairs 

2001-02 
#46.  p.  220 

Emergency  preparedness 

2003-04.  p.  265 

2006-07 
Vol.  2.  p.  138 

Information  Technology  management 
controls 
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Past  recommendations 


Outstanding  recommendations 


Auditee 

Original 
Recommendation 

Repeated 

Recommendation  subject 

Seniors  and  Community  Supports 

2006-07 
vol.  2,  p.  143 

General  computer  controls 

Department  and  PDD 
community  boards 

2003-04 
#8.  p.  107 

Service  provider  risk  assessment 

Department  and  PDD 
community  boards 

2003-04 
#9.  p.  Ill 

Contract  monitoring  and  evaluation 

PDD  Provincial  Board  and 
6  community  boards 

2003-04.  p.  109 

Contracting  framework  and  policies 

Also  see  Recommendations  to  more  than  one  ministry — page  388 

Service  Alberta 

2001-02 
#22.  p.  120 

•  2002-03 
#20.  p.  143 

•  2004-05 
#37.  p.  284 

Performance  measures 

2003-04 
#20.  p.  177 

Contracting  policies  and  procedures 

2004-05 
#34.  p.  212 

IT  project  management  of  Registry  Renewal 
Initiative 

2005-06 

#37.  vol.  2,  p.  168 

Physical  security 

2005-06 
vol.  2.  p.  165 

2006-07 
vol.  2.  p.  148 

Security  administration  for  shared  services  at 
distributed  sites 

2006-07 

#32,  vol.  2.  p.  146 

IT  Service  level  agreements  between  Service 
Alberta  and  its  client  ministries 

2006-07 
vol.  2.  p.  149 

Risk  assessment  for  central  data  centre  assets 

April  2008 
#7.  p.  170 

Guidance  to  implement  IT  control 
frameworks 

Also  see  Cross-Ministry — page  379 

Solicitor  General  and  Ministry  of  Public  Security 

2006-07 
vol.  2.  p.  154 

Change  Management 

2006-07 
vol.  2.  p.  155 

IT  Business  Continuity  Plan 

Sustainable  Resource  Development 

2002-03.  p.  277 

Contracting 

2005-06 

#13,  vol.  1.  p.  118 

Reforestation:  Performance  information. 

2005-06 

#14,  vol.  1.  p.  118 

Reforestation:  Performance  information 

2005-06 

#15.  vol.  1.  p.  122 

Reforestation:  Monitoring  and  enforcement 

2005-06 

#16.  vol.  l.p.  127 

Reforestation:  Forest  Resource  Improvement 
Association  of  Alberta 
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Past  recommendations 


Outstanding  recommendations 


Auditee 

Original 
Recommendation 

Repeated 

Recommendation  subject 

2005-06 
vol.  1.  p.  129 

Reforestation:  Seed  inventory 

2006-07 
vol.  2.  p.  161 

Leases  and  sales 

2006-07 
vol.  2.  p.  162 

Land  sale  agreements  clearlv  outline  the 
terms  and  conditions  of  sales  and  <  onditions 
in  land  sale  and  lease  agreements  are  met 

2006-07 

#33.  vol.  2.  p.  163 

Requests  for  proposals  to  ensure  the  province 
gets  the  best  possible  value  that  can  be 
obtained  given  government  objectives 

2006-07 
vol.  2.  p.  165 

Project  management 

Natural  Resources 
Conservation  Board 

2003  04 
#28.  p.  294 

2006-07 

#34.  vol.  2.  p.  167 

Natural  Resources  Conservation  Board- 
Rank  compliance  and  enforcement  activities 
based  on  risk  (Confined  feeding  operations) 

Also  see  Recommendations  to  more  than  one  ministry — page  388 

Tourism,  Parks  and  Recreation 

Also  see  Recommendations  to  more  than  one  ministry — page  388 

Transportation 

2003-04 
#29.  p.  301 

Monitoring  processes  for  commercial  vehicle 
and  motor  vehicle  inspection  programs 

2003-04 
#30,  p.  303 

Licensing  of  commercial  vehicle  and  motor 
vehicle  inspection  facilities  and  technicians 

November  2006 
#5.  p.  24 

Capital  grants  to  Metis  Settlements 

April  2008 

#5  and  #6,  p.  155 

Identifying  and  managing  conflicts  of 
interest  for  contracted  IT  professionals 

Treasury  Board 

1996-97 
#25,  p.  199 

•  1997-98 
#41,  p.  202 

•  1998-99 
#47.  p.  261 

•  1999-00 
#42.  p.  263 

•  2000-01 
#45.  p.  245 

•  2001-02 
#15.  p.  94 

•  2002-03 
#2.  p.  40 

Corporate  government  accounting  policies 

2006-07 

#1.  vol.  1,  p.  39 

Assessing  and  prioritizing  Alberta's 
infrastructure  needs:  Roles  and 
responsibilities  need  to  be  better  defined  and 
understood 

2006-07 

#2,  vol.  1,  p.  49 

Assessing  and  prioritizing  Alberta's 
infrastructure  needs:  Capital  Plan  needs  to 
reduce  deferred  maintenance  and  consider 
life-cycle  costs 
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Past  recommendations 


Outstanding  recommendations 


Auditee 

Original 
Recommendation 

Repeated 

Recommendation  subject 

2006-07 

#Q  vnl    1  n 
fro,  VU1.  1 ,  p.  J4 

Assessing  and  prioritizing  Alberta's 
nil i  dsn  in  nut.  m  etis,  ^cipiun  i  idii  neeus  10 
reduce  deferred  maintenance  and  consider 
life-cycle  costs 

2006-07 

ff  4 ,  VUI.  1.  p.  J  / 

Assessing  and  prioritizing  Alberta's 

ii ii i dsn ik  iui e  neeus.  riocesi  id  piiumize 

individual  infrastructure  projects  needs 

i  mnrnvi  no 
1 1 1 1  ui  uv  ii  ig 

2006-07 

#5.  vol.  1.  p.  59 

Assessing  and  prioritizing  Alberta's 
infrastructure  needs:  Process  to  prioritize 
individual  infrastructure  projects  needs 
improving 

2006-07 
vol.  2,  p.  178 

Inconsistent  budgeting  and  accounting  for 
grants 

Also  sec  (  ross  MinisiiN    page  379 

Recommendations  to  more  than  one  ministry 

Culture  and  Community 
Spirit/Tourism.  Parks  and 
Recreation 

2006-07 
vol.  2.  p.  172 

Computer  control  environment 

Food  Safety 

Regional  Health 
Authorities 

2005-06 

#6,  vol.  1,  p.  76 

Food  Safety:  RHA  food  establishment 
inspection  programs 

Regional  Health 
Authorities  and  Health  and 
Wellness 

2005-06 
vol.  1.  p.  83 

Food  Safety:  Tools  to  promote  and  enforce 
food  safety 

Regional  Health 
Authorities  (supported  by 
Health  and  Wellness 

2005-06 

#7,  vol.  1.  p.  84 

Food  Safety:  RHA  food  safety  information 

systems 

Regional  Health 
Authorities 

2005-06 

#8.  vol.  1,  p.  87 

Food  Safety:  Compliance  with  permitting 
legislation 

Agriculture  and  Food 

2005-06 

#9.  vol.  1.  p.  88 

Food  Safety:  Alberta  Agriculture's 
surveillance  program 

Agriculture  and  Food 

2005-06 

#10,  vol.  1.  p.  91 

Food  Safety:  Alberta  Agriculture's 
inspection  and  investigation  programs 

Agriculture  and  Food 

2005-06 
vol.  1.  p.  94 

Food  Safety:  Alberta  Agriculture's  food 
safetv  information  systems 

Health  and  Wellness  and 
Agriculture  and  Food  (in 
cooperation  with  RHAs) 

2005-06 

#11,  vol.  1.  p.  97 

Food  Safety:  Integrated  food  safety  planning 
and  activities 

Regional  Health 
Authorities.  Health  and 
Wellness,  and  Agriculture 
and  Food 

2005-06 
vol.  1.  p.  102 

Food  Safety:  Eliminating  gaps  in  coverage 

Health  and  Wellness,  and 
Agriculture  and  Food 

2005-06 

#12,  vol.  1.  p.  105 

Food  Safety:  Accountability 
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Auditee 

Original 
Recommendation 

Repeated 

Recommendation  subject 

Seniors  Care  and  Programs 

Health  and  Wellness  and 
RHAs  (working  with 
Seniors  and  Community 
Supports) 

2004-05.  #6.  p.  58 

Seniors  Care  and  Programs,  No.  2— 
page  31:  Compliance  with  Basic  Service 
Standards 

Health  and  Wellness  and 
RHAs  (working  with 
Seniors  and  Community 
Supports) 

2004-05,  #7,  p.  59 

Seniors  Care  and  Programs.  No.  3 — page  34: 
Effectiveness  of  services  in  long  term  care 
facilities 

IT           11                   1    \  I  t      1  1 

Health  and  Wellness 
(working  with  RHAs  with 
Seniors  and  Community 
Supports) 

2004-05.  #8.  p.  59 

Seniors  Care  and  Programs,  No.  4 — page  35: 
Effectiveness  of  services  in  long-term  care 
facilities 

Health  and  Wellness 
(working  with  RHAs  with 
Seniors  and  Community 
Supports) 

2004-05.  p.  61 

Seniors  Care  and  Programs— page  37: 
Information  to  monitor  compliance  with 
legislation 

Health  and  Wellness 
(working  with  RHAs  with 
Seniors  and  Community 
Supports) 

2004-05.  #9.  p.  62 

Seniors  Care  and  Programs.  No.  5— 
page  39:  Determining  future  needs  for 
services  in  long-term  care  facilities 

Health  and  W  ellness 

2004-05.  p.  62 

C  ;  „ 1  rj                                        OH.  O  -> 

Seniors  Care  and  Programs — page  39:  Report 
on  progress  implementing  Continuing  Care 
Strategic  Service  Plans 

Seniors  and  Community 
Supports 

2004-05 
#12,  p.  66 

Seniors  Care  and  Programs.  No.  8: 
Effectiveness  of  Seniors  Lodge  Program 

Seniors  and  Community 
Supports 

2004-05,  p.  67 

Seniors  Care  and  Programs    page  50: 
Determining  future  needs 

Seniors  and  Community 
Supports 

2004-05,  p.  68 

Seniors  Care  and  Programs — page  55: 
Effectiveness  of  the  Alberta  Seniors  Benefit 
Program 

Seniors  and  Community 
Supports 

2004-05 
#13,  p.  69 

Seniors  Care  and  Programs.  No.  9 — page  56: 
Information  to  determine  program  benefits 

Sustainable  Resource  and  Environmental  Management  (SREM) 

Energy,  Environment  and 
Sustainable  Resource 
Development 

2004-05 
#14.  p.  72 

Sustainable  Resource  and  Environmental 
Management  (SREM)  Implementation  Plan 
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Glossary 


Accountability 


Accrual  basis  of 
accounting 

Adverse  auditor's  opinion 
Assurance 


Attest  work,  attest  audit 
Audit 

Auditor 

Auditor's  opinion 
Auditor's  report 
Business  cases 


Capital  asset 

COBIT 


Criteria 
Cross-ministry 


This  glossary  explains  key  accounting  terms  and  concepts  in  this  report. 

Responsibility  for  the  consequences  of  actions.  In  this  report,  accountability  requires 
ministries,  departments  and  other  entities  to: 

•  report  their  results  (what  they  spent  and  what  they  achieved)  and  compare  them  to 
their  goals 

•  explain  anv  differences  between  their  goals  and  results 

Government  accountability  allows  Albertans  to  decide  whether  the  government  is  doing  a 
good  job.  They  can  compare  the  costs  and  benefits  of  government  action:  what  it  spends, 
what  it  tries  to  do  (goals),  and  what  it  actually  does  (results). 

A  way  of  recording  financial  transactions  that  puts  revenues  and  expenses  in  the  period 
when  they  are  earned  and  incurred. 

An  auditor's  opinion  that  financial  statements  are  not  presented  fairly  and  are  not  reliable. 

An  auditor's  written  conclusion  about  something  audited.  Absolute  assurance  is  impossible 
because  of  several  factors,  including  the  nature  of  judgment  and  testing,  the  inherent 
limitations  of  control,  and  the  fact  that  much  of  the  evidence  available  to  an  auditor  is  only 
persuasive,  not  conclusive. 

Work  an  auditor  does  to  express  an  opinion  on  the  reliability  of  financial  statements. 

An  auditor's  examination  and  verification  of  evidence  to  determine  the  reliability  of 
financial  information,  to  evaluate  compliance  with  laws,  or  to  report  on  the  adequacy  of 
management  systems,  controls  and  practices. 

A  person  who  examines  systems  and  financial  information. 

An  auditor's  written  opinion  on  whether  things  audited  meet  the  criteria  that  apply  to  them. 

An  auditor's  written  communication  on  the  results  of  an  audit. 

An  assessment  a  project's  financial,  social  and  economic  impacts.  A  business  case  is  a 
proposal  that  analyses  the  costs,  benefits  and  risks  associated  with  the  proposed 
investment,  including  reasonable  alternatives.  The  province  has  issued  business  case  usage 
guidelines  and  a  business  case  template  that  the  Department  can  refer  to  in  establishing  its 
business  case  policy. 

A  long-term  asset. 

Abbreviation  for  "Control  Objectives  for  Information  and  Related  Technology".  COBIT  was 
developed  by  the  Information  Systems  Audit  and  Control  Foundation  and  the  IT 
Governance  Institute.  COBIT  provides  good  practices  for  managing  IT  processes  to  meet  the 
needs  of  enterprise  management.  It  bridges  the  gaps  between  business  risks,  technical 
issues,  control  needs,  and  performance  measurement  requirements. 

Reasonable  and  attainable  standards  of  performance  that  auditors  use  to  assess  systems. 

The  section  of  this  report  covering  systems  and  problems  that  affect  several  ministries  or 
the  whole  government. 


Crown 


The  Government  of  Alberta. 
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Deferred  maintenance 


ERP 


Exception 
Expense 

GAAP 

Governance 
IMAGIS 
Internal  audit 


Internal  control 


Management  letter 


Material,  materiality 
Misstatement 


Any  maintenance  work  not  performed  when  it  should  be.  Maintenance  work  should  be 
performed  when  necessary  to  ensure  capital  assets  provide  acceptable  service  over  their 
expected  lives. 

Abbreviation  for  Enterprise  Resource  Planning.  ERPs  integrate  and  automate  all  data  and 
processes  of  an  organization  into  one  comprehensive  system.  A  typical  ERP  has  multiple 
modules  within  a  computer  software  application,  standardized  hardware,  and  a  centralized 
database  used  by  all  modules  to  achieve  this  integration.  Although  an  ERP  can  be  as  small 
as  an  accounting  and  payroll  application,  the  term  ERP  is  usually  associated  with  larger 
systems  that  perform  many  functions  within  an  organization.  Examples  of  modules  in  an 
ERP.  which  formerly  would  have  been  stand-alone  applications,  include:  Financials 
(General  Ledger.  Accounts  Payable,  and  Accounts  Receivable),  Payroll,  Human 
Resources.  Purchasing  and  Supply  Chain,  Project  Management,  Asset  Management, 
Student  Administration  Systems  and  Decision  Support  Systems.  Some  of  the  more 
common  ERPs  are  PeopleSoft,  SAP.  Great  Plains,  and  Oracle  Applications. 

Something  that  does  not  meet  the  criteria  it  should  meet — see  "Auditor's  opinion '. 

The  cost  of  a  thing  over  a  specific  time. 

Abbreviation  for  "generally  accepted  accounting  principles",  which  are  established  by  the 
Canadian  Institute  of  Chartered  Accountants. 

A  process  and  structure  that  brings  together  capable  people  and  relevant  information  to 
achieve  goals.  Governance  defines  an  organization  s  accountability  systems  and  ensures 
the  effective  use  of  public  resources. 

Abbreviation  for  the  government's  Integrated  Management  Information  System — a 
customized  version  of  PeopleSoft.  It  is  the  main  computer  program  that  ministries  use  for 
financial  and  human  resource  information  systems. 

A  group  of  auditors  within  a  ministry  (or  an  organization)  that  assesses  and  reports  on  the 
adequacy  of  the  ministry  's  internal  controls.  The  group  reports  its  findings  directly  to  the 
deputy  minister.  Internal  auditors  need  an  unrestricted  scope  to  examine  business 
strategies;  internal  control  systems;  compliance  with  policies,  procedures,  and  legislation; 
economical  and  efficient  use  of  resources;  and  the  effectiveness  of  operations. 

A  system  designed  to  provide  reasonable  assurance  that  an  organization  will  achieve  its 
goals.  Management  is  responsible  for  an  effective  internal  control  system  in  an 
organization,  and  the  organization's  governing  body  should  ensure  that  the  control  system 
operates  as  intended.  A  control  system  is  effective  when  the  governing  body  and 
management  have  reasonable  assurance  that: 

•  they  understand  the  effectiveness  and  efficiency  of  operations 

•  internal  and  external  reporting  is  reliable 

•  the  organization  is  complying  with  laws,  regulations,  and  internal  policies 

Our  letter  to  the  management  of  an  entity  that  we  have  audited.  In  the  letter,  we  explain: 

1 .  our  w  ork 

2.  our  findings 

3.  our  recommendation  of  what  the  entity  should  improve  and  how  it  should  do  so 

4.  the  risks  if  the  entity  does  not  implement  the  recommendation 

We  also  ask  the  entity  to  explain  specifically  how  and  when  it  will  implement  the 
recommendation. 

Something  important  to  decision-makers. 

A  misrepresentation  of  financial  information  due  to  mistake,  fraud,  or  other  irregularities. 
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Outcomes 
Outputs 

Performance  measure 
Performance  reporting 
Performance  target 
Qualified  auditor's  opinion 

Recommendation 

Risk 

Risk  management 
Securitization 

Sole  source  contract 

Specified  auditing 
procedures 

Systems  (management) 
Systems  (accounting) 
Systems  audit 


The  results  an  organization  tries  to  achieve  based  on  its  goals. 

The  goods  and  services  an  organization  actually  delivers  to  achieve  outcomes  I  hey  show 
"how  much"  or  "how  many". 

Indicator  of  progress  in  achieving  a  goal. 

Reporting  on  financial  and  non-financial  performance  compared  to  plans. 
The  expected  result  for  a  performance  measure. 

An  auditor's  opinion  that  things  audited  meet  the  criteria  that  apply  to  them,  except  for  one 
or  more  specific  areas — which  cause  the  qualification. 

A  solution  we — the  Office  of  the  Auditor  General  of  Alberta— propose  to  improve  the  use 
of  public  resources  or  to  improve  performance  reporting  to  Albertans. 

Anything  that  impairs  an  organization's  ability  to  achieve  its  goals. 

Identifying  and  then  minimizing  or  eliminating  risk  and  its  effects. 

Is  a  financial  transaction,  which  involves  the  pooling  and  repackaging  of  cash  flow 
producing  financial  assets  into  securities  that  are  then  sold  to  investors. 

An  agreement  with  just  one  supplier  chosen  without  a  competitive  bidding  process. 

Actions  an  auditor  performs  to  check  certain  qualities,  such  as  reliability,  of  reported 
information  that  management  asks  the  auditor  to  check.  Specified  auditing  procedures  are 
not  extensive  enough  to  allow  the  auditor  to  express  an  opinion  on  the  information. 

A  set  of  interrelated  management  control  processes  designed  to  achieve  goals 
economically  and  efficiently. 

A  set  of  interrelated  accounting  control  processes  for  revenue,  spending,  the  preservation 
or  use  of  assets,  and  the  determination  of  liabilities. 

To  help  improve  the  use  of  public  resources,  we  audit  and  recommend  improvements  to 
systems  designed  to  ensure  value  for  money. 

Paragraphs  (d)  and  (e)  of  subsection  19(2)  of  the  Auditor  Genera]  Act  require  us  to  report 
every  case  in  which  we  observe  that: 

•  an  accounting  system  or  management  control  system,  including  those  designed  to 
ensure  economy  and  efficiency,  was  not  in  existence,  or  was  inadequate  or  not 
complied  with,  or 

•  appropriate  and  reasonable  procedures  to  measure  and  report  on  the  effectiveness  of 
programs  were  not  established  or  complied  w  ith. 

To  meet  this  requirement,  we  do  systems  audits.  First,  we  develop  criteria  (the  standards) 
that  a  system  or  procedure  should  meet.  We  always  discuss  our  proposed  criteria  with 
management  and  try  to  gain  their  agreement  to  them.  Then  we  do  our  work  to  gather  audit 
evidence. 

Next,  we  match  our  evidence  to  the  criteria.  If  the  audit  evidence  matc  hes  all  the  criteria, 
we  conclude  the  system  or  procedure  is  operating  properly.  But  if  the  evidence  doesn't 
match  all  the  criteria,  we  have  an  audit  finding  that  leads  us  to  recommend  what  the 
ministry  must  do  to  ensure  that  the  system  or  procedure  will  meet  all  the  criteria. 


For  example,  if  we  have  5  criteria  and  a  system  meets  3  of  them,  the  2  unmet  criteria  lead 
to  the  recommendation. 
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A  systems  audit  should  not  be  confused  with  assessing  systems  with  a  view  to  relying  on 
them  in  an  audit  of  financial  statements. 

Unqualified  auditor's  An  auditor's  opinion  that  things  audited  meet  the  criteria  that  apply  to  them, 

opinion 

Value  for  money  The  concept  underlying  a  systems  audit  is  value  for  money.  It  is  the  "bottom  line"  for  the 

public  sector,  analogous  to  profit  in  the  private  sector.  The  greater  the  value  added  by  a 
government  program,  the  more  effective  it  is.  The  fewer  resources  that  are  used  to  create 
that  value,  the  more  economical  or  efficient  the  program  is.  "Value"  in  this  context  means 
the  impact  that  the  program  is  intended  to  achieve  or  promote  on  conditions  such  as  public 
health,  highway  safety,  crime,  or  farm  incomes.  To  help  improve  the  use  of  public 
resources,  we  audit  and  recommend  improvements  to  systems  designed  to  ensure  value  for 
money. 


Other  resources 

The  Canadian  Institute  of  Chartered  Accountants  (CICA)  produces  a  useful  book  called,  Terminology  for  Accountants.  They 
can  be  contacted  at  CICA,  277  Wellington  Street  West,  Toronto,  Ontario,  Canada  M5V  3H2  or  www.cica.ca. 
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(Registered)  Pension  Plan  296 

Provincial  Judges  and  Masters  in  Chambers  Reserve 

Fund  296 

Public  Service  Pension  Plan  297 

Public  Service  Management  (Closed  Membership) 

Pension  Plan  297 

Red  Deer  College  49 

Seniors  and  Community  Supports  343 

Service  Alberta  64,345 

Solicitor  General  and  Ministry  of  Public  Security..  52,  351 
Southeast  Alberta  Child  and  Family  Services 

Authority  49,  239 

Southern  Alberta  Institute  of  Technology  49 

Southwest  Alberta  Child  and  Family  Services 

Authority  49,  240 

Special  Forces  Pension  Plan  297 

Supplementary  Retirement  Plan  for  Public  Service 

Managers  297 

Supplementary  Retirement  Plan  Reserve  Fund  296 

Sustainable  Resource  Development  72.  355 

Tourism,  Parks,  Recreation  and  Culture  52,  369 

Treasury  Board  371 

University  of  Alberta  49,  235 

University  of  Calgary  49,  213,  235 

University  of  Calgary  Foundation  235 

University  of  Lethbridge  49,  223,  235 

University  Technologies  Group  49,  235 

Victims  of  Crime  Fund  353 

Wild  Rose  Foundation  369.  370 

Workers'  Compensation  Board  49,  253,  254 
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